23542300x8000000000000000860459Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:02.981{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29650D4D00EF2580B4F49A0F7B762B7,SHA256=A724E3BB7D78971C217A2D6B15C862D6F3335663C07AA28D255CD0C924280CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006358856Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:02.563{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66752473E6A492DFAE0CD4EAE118A95,SHA256=FAC5EBAFAF6E8DA7FE1CDBB1D3E53B86016507D7F4E3E6920F89503D0B3B5C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860460Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:03.997{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABFCD815DA564CACB0FC3D23784A4449,SHA256=24E70D75F40A3D5B558682A87E19EAB275B2AA16D7BFD9F1E7D61CD3576EEDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006358861Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:03.644{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B0F1C263646DD4CA1F2617CA634199,SHA256=6530CBAF29FC3A4734278DD71D40331A315DFB639E7A70866B48643C02F5A80D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006358860Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:03.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358859Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:03.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358858Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:03.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358857Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:03.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006358869Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:01.734{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1075-false10.0.1.12-8000- 23542300x80000000000000006358868Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:04.653{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB5911E87FDBF4E8E11C20819EA9E3B,SHA256=B96F110F5D9ADE0DA7E08F64003C0A3F23A0FBE212598E9721AB3E7C863E3C4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000860463Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:04.153{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1500-00000000AF01}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860462Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:04.153{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1500-00000000AF01}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860461Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:04.153{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1500-00000000AF01}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006358867Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:04.189{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0646698DA8B8A7BC39F90679A4017B85,SHA256=4A0E34A39D7357AFD91B5A4E6D6E055030C2E904621AEF8D677DF41AAD24AD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006358866Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:04.188{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=932BBDD91B37B167299A581BC64EBB85,SHA256=821A57FE144E93B78DFFB3826C05F49FA0D47939A4C65546B73C1C97891076B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006358865Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:04.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358864Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:04.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358863Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:04.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358862Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:04.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006358874Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:05.674{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E724751F7C2A5C3BE33E9832D04DD91A,SHA256=C699B5B94023D67AABBE648375459B0374A7C23E91BB812B3F776BD5F4A3651E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860464Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:05.028{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3AC9B17C622B787E242A8AAC239A86C,SHA256=3B2DC20ECD55E6DCD9D68640D321F3705B81E10C254DE86881D08AA235DB7C12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006358873Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:05.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358872Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:05.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358871Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:05.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358870Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:05.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006358879Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.681{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=788FD95B11A42E8F0929FE2075936A19,SHA256=33B3627EA1BB7BBD72928B951256250D98F0B9FB9B9E4DF6335AA142807A8746,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860468Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:01.525{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55001-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860467Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:06.122{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9407C3BFC174D7CA0073F80410FFC68,SHA256=F563FB1371CECFDE998E8B62939BED60B3C4FD98CD217B28DB0EF7D1D3E0B16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860466Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:06.122{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9CD681E9129511E84EC0B5B1FA06C00,SHA256=4373D46D412A4DF2FBE5F86CD4CA8F295542D78D72F8DF4F5666A14546F6CEB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860465Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:06.043{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121FA9FD349FAB9B0D08E9A799CC24FA,SHA256=438553AE47CC2F2DADBE71F5517A3503372E89E27D7E015E173DBC3B62128448,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006358878Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358877Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358876Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358875Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006358905Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.892{896A638B-B5CB-6058-1600-00000000AE01}1308NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates\downloading\BITC17A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006358904Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.706{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC180C8D986C64C17A37546016CEFBAC,SHA256=DF73B4545E234D1C1D1B3513AAFC89CBFBD0285FEEAAB203AAD054D56970DE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006358903Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.698{896A638B-B5CB-6058-1600-00000000AE01}1308NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates\downloading\BITC17A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860469Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:07.059{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B23CECE26FB128D3F98E2AB46016CA,SHA256=A52550A4A283D960F755A3B23DD6CAA116F23D4AC3B591093A5A37609BA168A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006358902Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.694{896A638B-B5CB-6058-1600-00000000AE01}13084668C:\Windows\System32\svchost.exe{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\qmgr.dll+2f267|c:\windows\system32\qmgr.dll+2db8f|c:\windows\system32\qmgr.dll+1f9de|c:\windows\system32\qmgr.dll+1fd4c|c:\windows\system32\qmgr.dll+1fb85|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000006358901Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.680{896A638B-B5CA-6058-1300-00000000AE01}3882296C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000006358900Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.673{896A638B-B5C8-6058-0B00-00000000AE01}6126888C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358899Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.672{896A638B-B5C8-6058-0B00-00000000AE01}6126888C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358898Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.667{896A638B-B5C8-6058-0B00-00000000AE01}6126888C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000006358897Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.646{896A638B-B5CA-6058-1200-00000000AE01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0BF65B42F43E5D7CF27101C28E685ECA,SHA256=2A06980D214858202BE3955160371EA711144BF254F9446486AE241821FA870A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006358896Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.642{896A638B-B5C8-6058-0B00-00000000AE01}6128108C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000006358895Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.613{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358894Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.613{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358893Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.613{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358892Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.613{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358891Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.612{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358890Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.612{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358889Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.612{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358888Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.612{896A638B-B5C8-6058-0B00-00000000AE01}6128108C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358887Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.612{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358886Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.611{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358885Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.611{896A638B-B5C8-6058-0B00-00000000AE01}6128108C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000006358884Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-25 16:54:07.604{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileNameGlobal\MMF_BITSeb4f0a61-2545-408a-a3c5-94bcc9e30c81 10341000x80000000000000006358883Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358882Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358881Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358880Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006358991Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.428{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1080-false99.84.73.60server-99-84-73-60.hio50.r.cloudfront.net443https 354300x80000000000000006358990Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.357{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53193- 354300x80000000000000006358989Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.332{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53193- 354300x80000000000000006358988Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.322{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1079-false52.26.78.84ec2-52-26-78-84.us-west-2.compute.amazonaws.com443https 354300x80000000000000006358987Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.292{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55081- 354300x80000000000000006358986Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.267{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local55081- 354300x80000000000000006358985Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.228{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1078-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local47001- 354300x80000000000000006358984Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.228{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1078-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local47001- 354300x80000000000000006358983Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.205{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1077-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local47001- 354300x80000000000000006358982Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.205{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1077-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local47001- 354300x80000000000000006358981Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.092{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1076-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 354300x80000000000000006358980Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.077{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53848- 354300x80000000000000006358979Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.077{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local65028- 354300x80000000000000006358978Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.075{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local65369- 23542300x8000000000000000860470Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:08.075{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3C5BC87E9856CF9B7ECF09FCA38832,SHA256=AF62482D769998ABD4C116C591E3622292E25E9296CA3AD16FC52B2DC0DE1BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006358977Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.655{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DEFCD31AF7F75AF5751A5752A62BA899,SHA256=93C3F8F8FD6EDD72D3AE8D48C2800609EADD1F435A2D2374E2CA0055A0D8455F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006358976Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.653{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E0E451643E36377E58E313593766C2D9,SHA256=D456F8E2C1254E48D6FDA3E8C7F43B3A3155C6EF7E95F1F9BD0CFC74FEB0CCEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006358975Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.434{896A638B-B5CA-6058-0D00-00000000AE01}8845328C:\Windows\system32\svchost.exe{896A638B-B5CA-6058-0C00-00000000AE01}824C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000006358974Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.309{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\xul.dll2021-03-25 16:54:08.309 11241100x80000000000000006358973Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.309{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\vcruntime140.dll2021-03-25 16:54:08.308 11241100x80000000000000006358972Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.307{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updater.exe2021-03-25 16:54:08.307 11241100x80000000000000006358971Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.303{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\uninstall\helper.exe2021-03-25 16:54:08.303 11241100x80000000000000006358970Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.293{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\ucrtbase.dll2021-03-25 16:54:08.293 11241100x80000000000000006358969Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.292{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\softokn3.dll2021-03-25 16:54:08.292 11241100x80000000000000006358968Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.291{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\qipcap64.dll2021-03-25 16:54:08.291 11241100x80000000000000006358967Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.288{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\plugin-hang-ui.exe2021-03-25 16:54:08.287 11241100x80000000000000006358966Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.286{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\plugin-container.exe2021-03-25 16:54:08.286 11241100x80000000000000006358965Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.285{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\pingsender.exe2021-03-25 16:54:08.285 11241100x80000000000000006358964Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.277{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\osclientcerts.dll2021-03-25 16:54:08.277 11241100x80000000000000006358963Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.258{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\nssckbi.dll2021-03-25 16:54:08.257 11241100x80000000000000006358962Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.256{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\nss3.dll2021-03-25 16:54:08.255 11241100x80000000000000006358961Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.255{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\msvcp140.dll2021-03-25 16:54:08.255 11241100x80000000000000006358960Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.254{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozglue.dll2021-03-25 16:54:08.254 11241100x80000000000000006358959Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.253{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozavutil.dll2021-03-25 16:54:08.252 11241100x80000000000000006358958Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.250{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozavcodec.dll2021-03-25 16:54:08.250 11241100x80000000000000006358957Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.249{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\minidump-analyzer.exe2021-03-25 16:54:08.249 11241100x80000000000000006358956Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.249{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\maintenanceservice_installer.exe2021-03-25 16:54:08.249 11241100x80000000000000006358955Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.248{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\maintenanceservice.exe2021-03-25 16:54:08.248 11241100x80000000000000006358954Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.245{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\libGLESv2.dll2021-03-25 16:54:08.245 11241100x80000000000000006358953Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.244{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\libEGL.dll2021-03-25 16:54:08.244 11241100x80000000000000006358952Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.244{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\lgpllibs.dll2021-03-25 16:54:08.244 11241100x80000000000000006358951Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.239{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\IA2Marshal.dll2021-03-25 16:54:08.239 11241100x80000000000000006358950Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.236{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\gmp-clearkey\0.1\clearkey.dll2021-03-25 16:54:08.236 11241100x80000000000000006358949Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.234{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\freebl3.dll2021-03-25 16:54:08.234 11241100x80000000000000006358948Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.224{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\firefox.exe2021-03-25 16:54:08.224 11241100x80000000000000006358947Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.220{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\default-browser-agent.exe2021-03-25 16:54:08.220 11241100x80000000000000006358946Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.194{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\d3dcompiler_47.dll2021-03-25 16:54:08.193 11241100x80000000000000006358945Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.192{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\crashreporter.exe2021-03-25 16:54:08.192 354300x80000000000000006358944Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:05.554{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local50992- 11241100x80000000000000006358943Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.140{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-utility-l1-1-0.dll2021-03-25 16:54:08.140 11241100x80000000000000006358942Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.137{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-time-l1-1-0.dll2021-03-25 16:54:08.137 11241100x80000000000000006358941Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.134{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-string-l1-1-0.dll2021-03-25 16:54:08.134 11241100x80000000000000006358940Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.132{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-stdio-l1-1-0.dll2021-03-25 16:54:08.131 11241100x80000000000000006358939Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.130{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-runtime-l1-1-0.dll2021-03-25 16:54:08.130 11241100x80000000000000006358938Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.129{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-process-l1-1-0.dll2021-03-25 16:54:08.129 11241100x80000000000000006358937Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.128{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-private-l1-1-0.dll2021-03-25 16:54:08.128 11241100x80000000000000006358936Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.127{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-multibyte-l1-1-0.dll2021-03-25 16:54:08.126 11241100x80000000000000006358935Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.125{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-math-l1-1-0.dll2021-03-25 16:54:08.125 11241100x80000000000000006358934Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.121{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-locale-l1-1-0.dll2021-03-25 16:54:08.121 11241100x80000000000000006358933Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.119{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-heap-l1-1-0.dll2021-03-25 16:54:08.119 11241100x80000000000000006358932Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.118{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-filesystem-l1-1-0.dll2021-03-25 16:54:08.118 11241100x80000000000000006358931Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.117{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-environment-l1-1-0.dll2021-03-25 16:54:08.117 11241100x80000000000000006358930Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.117{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-convert-l1-1-0.dll2021-03-25 16:54:08.117 11241100x80000000000000006358929Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.116{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-conio-l1-1-0.dll2021-03-25 16:54:08.116 11241100x80000000000000006358928Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.115{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-core-timezone-l1-1-0.dll2021-03-25 16:54:08.115 11241100x80000000000000006358927Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.114{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-core-synch-l1-2-0.dll2021-03-25 16:54:08.114 11241100x80000000000000006358926Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.113{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-core-processthreads-l1-1-1.dll2021-03-25 16:54:08.112 11241100x80000000000000006358925Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.111{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-core-localization-l1-2-0.dll2021-03-25 16:54:08.111 11241100x80000000000000006358924Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.110{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-core-file-l2-1-0.dll2021-03-25 16:54:08.110 11241100x80000000000000006358923Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.109{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-core-file-l1-2-0.dll2021-03-25 16:54:08.109 11241100x80000000000000006358922Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.108{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\AccessibleMarshal.dll2021-03-25 16:54:08.107 11241100x80000000000000006358921Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.103{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\AccessibleHandler.dll2021-03-25 16:54:08.103 23542300x80000000000000006358920Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.046{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates\0\update.statusMD5=88F490C8471263CEFC823158BC1BD4B0,SHA256=39280623A0ED7DAB3DEA551B792A65F3E27340F5A666490ABD92DE58C5F9A020,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006358919Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.030{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006358918Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.029{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358917Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.028{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358916Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.028{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358915Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.028{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358914Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.028{896A638B-C9AE-6058-4C07-00000000AE01}34204632C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+39c4d5a|C:\Program Files\Mozilla Firefox\xul.dll+3d3b3c|C:\Program Files\Mozilla Firefox\xul.dll+39e17ce|C:\Program Files\Mozilla Firefox\xul.dll+1c50a|C:\Program Files\Mozilla Firefox\xul.dll+39e1fe4|C:\Program Files\Mozilla Firefox\xul.dll+cb641a|C:\Program Files\Mozilla Firefox\xul.dll+4155f|C:\Program Files\Mozilla Firefox\xul.dll+403bd|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+cbe2e2|C:\Program Files\Mozilla Firefox\nss3.dll+f943a|C:\Program Files\Mozilla Firefox\nss3.dll+ecb31|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006358913Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.013{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exe86.0.1Firefox Software UpdaterFirefoxMozilla Foundationupdater.exe"C:\Program Files\Mozilla Firefox\updater.exe" C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates\0 "C:\Program Files\Mozilla Firefox" "C:\Program Files\Mozilla Firefox\updated" -1C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2MediumMD5=0CAAD3A6E62C8DEAFC160569FDB38EFA,SHA256=8D1FCBBF1872669F0DB776C643022C55DF92C2AD8CA6F17AB920E93539A5029B,IMPHASH=6BB751462A4674EA8871D6EED6988FCC{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x80000000000000006358912Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.016{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0646698DA8B8A7BC39F90679A4017B85,SHA256=4A0E34A39D7357AFD91B5A4E6D6E055030C2E904621AEF8D677DF41AAD24AD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006358911Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.014{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006358910Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358909Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358908Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358907Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006358906Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.006{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates\0\update.statusMD5=21B14FA7F5DEED372D093DE77DB5C795,SHA256=EC6C7C37BE67A0E4443C2A14B2BB45414FA992D0AEE701D18E8B30DD6F99731A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006358999Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:09.904{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6301FD684A1D0E6CB0DEBA35D2A5220B,SHA256=25CA174180C19DB422FD1C0EBFC6EAA2C5B4E5F24D18C602810B16EF1CB97FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860471Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:09.090{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A84FE0D1BB8933CAE6A527DDA6FBD8,SHA256=30B36EA74ECBF2B8547DB75385EB8BDEC2F94C924F7976F76316595180EEBB16,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006358998Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.459{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1081-false99.84.73.60server-99-84-73-60.hio50.r.cloudfront.net443https 23542300x80000000000000006358997Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:09.055{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92CE1F62026D90F329122ECD433939E,SHA256=AE7CBDEB5F8B78D57E881CE43094C5AC9089F54EDE2A3AB8CAABDF2E6B2BFB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006358996Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:09.054{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2D46BDF3CF530465155C79EB69AA628,SHA256=E9C9B80829DD6A911FD7D8ED4D37AF7D97B11B5CE5AD39D12355678B896786D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006358995Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:09.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358994Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:09.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358993Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:09.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006358992Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:09.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359005Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:10.547{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\xul.dll.sigMD5=C458200B262607EBBD3C19BC68F02056,SHA256=CBCE689916F6BD93CF3AE65BBFD2323CD8DA3A3D56058F7BC095747429DD788E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359004Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:10.074{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B50A6DA0CC8A2B845DB81EACBF9B499,SHA256=3F8177F3BF11DFDA9B7F819D9170C6E21CCDDA5EB59F9A0FCB8E8E77D895ABE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359003Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:10.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359002Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:10.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359001Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:10.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359000Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:10.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860472Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:10.106{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7F971682F03F5A5F934AF09B0F781B,SHA256=D4B2F388CE25CD4CF22E474BC4364EF83A3FE620D6EB2CF41ADD47B2A956C324,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006359019Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:11.767{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\xul.dll2021-03-25 16:54:08.309 23542300x80000000000000006359018Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:11.767{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\xul.dllMD5=E085DCE70C7F8C9EE9A804E9E3E8E67D,SHA256=0ECC2C0CAA97762277401B330204C0A4DC175692A51CF78EA6C2A903ACFBC0D8,IMPHASH=760C534AA07F0E10F4E1CBE431280F84falsetrue 354300x80000000000000006359017Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.630{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1082-false10.0.1.12-8000- 354300x80000000000000006359016Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.461{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-792.attackrange.local53domainfalse10.0.1.14win-dc-792.attackrange.local50021- 354300x80000000000000006359015Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.460{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-792.attackrange.local53domainfalse10.0.1.14win-dc-792.attackrange.local62794- 354300x80000000000000006359014Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.460{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local61429- 354300x80000000000000006359013Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.459{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local56936- 354300x80000000000000006359012Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.300{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local63197- 354300x80000000000000006359011Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.300{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local52121- 23542300x80000000000000006359010Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:11.102{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B7F0DAA0AE54919E821463951844DC,SHA256=328FE5D213D915DA0EAAAD84B0C10BA21662C8E9A4E1AECC3EEAB54741A3B8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860475Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:11.278{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D7793159278806FFAAB108063F9482F,SHA256=0D0C5EA80B21F73F48BE2B5955F7AD10F6A58C7F3FCDF3C38300847B5E2E7BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860474Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:11.278{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9407C3BFC174D7CA0073F80410FFC68,SHA256=F563FB1371CECFDE998E8B62939BED60B3C4FD98CD217B28DB0EF7D1D3E0B16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860473Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:11.122{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E07FBF033A56E55CAF13E835C71CF4,SHA256=1A90A4F6E55B788B018E087B6ED219E80DBEB357EAF296B4AC01704C9EA3F821,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359009Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:11.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359008Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:11.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359007Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:11.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359006Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:11.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860477Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:12.137{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FDC2060102675592A067610C9C2ABE,SHA256=8298F5B0B4DABC6F274267174FCD3FE20EE43A5B70C3A79054B200B09D3E51E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006359079Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.746{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\crashreporter.exe2021-03-25 16:54:08.192 23542300x80000000000000006359078Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.746{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\crashreporter.exeMD5=9C565EB893C4D1CF3F85CA539009B9C8,SHA256=0129DCA6E2287A55D46F8D0F6E690CC90E96C03E1A14475881B1C4FE21447402,IMPHASH=8EBD8B03FBDBAB7D4792FDBB60C96D92falsetrue 11241100x80000000000000006359077Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.740{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\default-browser-agent.exe2021-03-25 16:54:08.220 23542300x80000000000000006359076Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.740{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\default-browser-agent.exeMD5=97D2F00500F66B6A8D7B88743DDE10C7,SHA256=DE84310FD61BADB2BB8E2844896F49EC4FFCA02C8DE694A77E2DF272A7EE0926,IMPHASH=8E4BFDD6F6CFAA4316FB1CA7E3ACBA66falsetrue 11241100x80000000000000006359075Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.730{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\firefox.exe2021-03-25 16:54:08.224 23542300x80000000000000006359074Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.730{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\firefox.exeMD5=5B68C17D571DCAB4E2FA29EE0DBEC5CB,SHA256=929A1A95196BD1165433CEBF4152A2FAB6EFC3D2EB298E08F8229C5B22AE8DC9,IMPHASH=8FBF1ADBCE9C978414F8FE0722EC7401falsetrue 23542300x80000000000000006359073Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.722{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\firefox.exe.sigMD5=E85203BFB2A5F437E93565986C2F17B8,SHA256=A02EA0645354984CDD2DF9FEE1C47143F9EB7B3860CE3A0CDD0F5049250B6690,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006359072Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.720{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\freebl3.dll2021-03-25 16:54:08.234 23542300x80000000000000006359071Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.719{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\freebl3.dllMD5=224C0F6E09DC0D5E5E5F343765500C5C,SHA256=8E1127F8B81EC2849EF860850025E39A0DDBF0CA93855BDC54275029B45FECD3,IMPHASH=53652A7DC9DFE48EFEF7CDBD318659AFfalsetrue 11241100x80000000000000006359070Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.709{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\gmp-clearkey\0.1\clearkey.dll2021-03-25 16:54:08.236 23542300x80000000000000006359069Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.709{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\gmp-clearkey\0.1\clearkey.dllMD5=2AF446AB140C67CBEA5A00DDC3787B04,SHA256=749438B7358EC94E3859B1C96E958E7FA0CCE85BFBECEBAB5E8530C8AFF72744,IMPHASH=9616EE7CBB91354D54B7E6653D9C472Efalsetrue 23542300x80000000000000006359068Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.706{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\gmp-clearkey\0.1\clearkey.dll.sigMD5=3FACC94B632C1E857415250CE5C37B37,SHA256=4A9B930FFDE7D4B7FA01495F2AC4A6C31CDE5BE65863397961D9B43DAD8658AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006359067Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.705{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\lgpllibs.dll2021-03-25 16:54:08.244 23542300x80000000000000006359066Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.705{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\lgpllibs.dllMD5=C266AB99302A0CDE9B34A32695BE3BBA,SHA256=2938AE1A7E5B4151485828759F017FEA74918408748DA64E2C2C33B091F75C79,IMPHASH=451AECEA9F58042E76D96A82BE2804FAfalsetrue 11241100x80000000000000006359065Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.704{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\libEGL.dll2021-03-25 16:54:08.244 23542300x80000000000000006359064Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.703{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\libEGL.dllMD5=F43032C3942F1584A0B45CC195D19F36,SHA256=F08887754BD6CC589DF2DB205CD37AE5F7DC1A4F62EBF097349AAFD952836B6D,IMPHASH=45C02D0DAE806A78FA0B6FD156E8FE18falsetrue 11241100x80000000000000006359063Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.688{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\libGLESv2.dll2021-03-25 16:54:08.245 23542300x80000000000000006359062Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.688{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\libGLESv2.dllMD5=E9C4523F31BFC3329414E77CE3C01D1D,SHA256=5D25BFE547DBE7FA854DE20EF9DBE74EE04862C5360F7300C8D72AF159339EB0,IMPHASH=53B978A281F673CF0A5B322B6A728EFFfalsetrue 11241100x80000000000000006359061Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.644{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\maintenanceservice.exe2021-03-25 16:54:08.248 23542300x80000000000000006359060Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.643{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\maintenanceservice.exeMD5=2C8598CD76958DE4F9DD128DA734EAE9,SHA256=C19B86BFCF91B4B64BA951A9CFFCE5BFB48C8B4338EE6BA35DCBC26EBB59D591,IMPHASH=E4793B8A2E804520C3AE2CFD62D76D97falsetrue 11241100x80000000000000006359059Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.639{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\maintenanceservice_installer.exe2021-03-25 16:54:08.249 23542300x80000000000000006359058Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.639{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\maintenanceservice_installer.exeMD5=F51270AE8DE857422D7AB0881CAC50CE,SHA256=EC97B8AC201DD92CADE670F023983721CFFADDD47160536C334E2FBEE66FF3B7,IMPHASH=E2A592076B17EF8BFB48B7E03965A3FCfalsetrue 11241100x80000000000000006359057Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.635{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\minidump-analyzer.exe2021-03-25 16:54:08.249 23542300x80000000000000006359056Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.635{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\minidump-analyzer.exeMD5=54076F8E5429754913F374EF22566F88,SHA256=A113C6F7E58C038D0BE3913BD9F4FC71147B83259B5B5BEF8BED3700512FE76C,IMPHASH=C026F4538962546154985082F0414A24falsetrue 11241100x80000000000000006359055Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.623{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozavcodec.dll2021-03-25 16:54:08.250 23542300x80000000000000006359054Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.623{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozavcodec.dllMD5=076CAAA89D765790AF1ECF20C3A30ED1,SHA256=973E67AA69BBB8A890CCB9E279361187C286D432C7499B5822CA27D2DEFAEBDB,IMPHASH=74D45A8D6BF8351712FBED4E67DB54BBfalsetrue 11241100x80000000000000006359053Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.599{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozavutil.dll2021-03-25 16:54:08.252 23542300x80000000000000006359052Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.598{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozavutil.dllMD5=A959A793B45E0D3B6DE8CD0F8C409376,SHA256=8952BAC0769A4FEB3C6ACD32BB62D654E3054D86C29AD60C2EC612460A064FA0,IMPHASH=D19ADDD1AED758A8478ED00FFFFF2420falsetrue 11241100x80000000000000006359051Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.595{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozglue.dll2021-03-25 16:54:08.254 23542300x80000000000000006359050Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.594{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozglue.dllMD5=64543A9C791B45E1DA4AE445F1ACC1C3,SHA256=69BCD88A556CD754FB1676A3692BA7BF86127B9A3A8B2BA9C29459D31C8924C3,IMPHASH=880BD99A47DA508AD8E7E479B22900B6falsetrue 11241100x80000000000000006359049Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.582{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\nss3.dll2021-03-25 16:54:08.255 23542300x80000000000000006359048Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.581{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\nss3.dllMD5=F90860EB40549CA33D03AC2BA9A9E4FB,SHA256=21E3D45AD815EB1A5FC1C96775076F709996924C74AA2AD741C9D8DF3AE9EEAC,IMPHASH=B394C4A0F026C7AFFA1F860C5A1674C2falsetrue 11241100x80000000000000006359047Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.555{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\nssckbi.dll2021-03-25 16:54:08.257 23542300x80000000000000006359046Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.554{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\nssckbi.dllMD5=5F6CA156D9ADCD9C57BF2F19261BAAD3,SHA256=B5A3256DC70CDFA8A7A2F59F2013DF3B4F034A31A13B46A5278B620DCA328D66,IMPHASH=5986500029C9F7E013CB3FF371CB6F5Efalsetrue 23542300x80000000000000006359045Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.490{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\omni.jaMD5=3B5F7A75F2B662CC60DC43A1DF24FC98,SHA256=1EB42426D570D6E02DF036136B7F4D721525A3CBBB934ECDA5470A7FE78EDC3D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006359044Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.185{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\osclientcerts.dll2021-03-25 16:54:08.277 23542300x80000000000000006359043Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.185{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\osclientcerts.dllMD5=E302A93B3212F9EC05AF221ECB067F59,SHA256=4951269EDBABBFF08E7C3A63A7552597B307F3D0FB6737248E4F3915766FB5C0,IMPHASH=AEB6155624A9EF250233718435B4BC1Afalsetrue 11241100x80000000000000006359042Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.180{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\pingsender.exe2021-03-25 16:54:08.285 23542300x80000000000000006359041Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.179{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\pingsender.exeMD5=DF0602ACE512A03016D000738C41A000,SHA256=F9BECECD2BE7D45A1503F2232E209C6CE4AF2E8B5EAEBD21766C47FFF15C6505,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632falsetrue 23542300x80000000000000006359040Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.177{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\platform.iniMD5=C22F066F88D0D18E80D54595D281914A,SHA256=A3AD4BC88211C99E690124FFD1C7019180F997630F1E5CD4EF2C05AC2E2C1E13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006359039Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.176{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\plugin-container.exe2021-03-25 16:54:08.286 23542300x80000000000000006359038Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.175{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\plugin-container.exeMD5=5A812EAB1A5F92C62466E553D237B1E5,SHA256=08393C4153E57F33F38FC9FA99C41D448314B00AC02340A3035DD50799F42D10,IMPHASH=0E85FC39F620360C45F1854D350219AFfalsetrue 23542300x80000000000000006359037Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.171{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\plugin-container.exe.sigMD5=18629F1F33221128B5C24196263E92A9,SHA256=12DB19AA8646017CF6EFFF88DBB1F773DA4183E2239690BCD0F1A5EA0263ABCF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006359036Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.170{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\plugin-hang-ui.exe2021-03-25 16:54:08.287 23542300x80000000000000006359035Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.169{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\plugin-hang-ui.exeMD5=572C2939779568E80E422627452DB601,SHA256=99AE0FE6A207CF21F142DB663BA6F7D6EEFB18FB7A22E6B32FE2D89EA519215A,IMPHASH=67E1F2F531D25FB7C5EC5E942BEF5B08falsetrue 23542300x80000000000000006359034Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.167{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\precompleteMD5=CA5EB5307F4F5A145C89CA93DCB41C90,SHA256=BA58E12F0F0C4F5CD7E761AB8DC623A3265534782DC6147FBD775579D4A441A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006359033Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.166{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\qipcap64.dll2021-03-25 16:54:08.291 23542300x80000000000000006359032Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.166{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\qipcap64.dllMD5=B0BDEC002DF5A6CA91666CD00252621D,SHA256=6BA46B8BE23DFE5A33AF3022A74FD9715D3A0EA6BC7EC1D2BC55879F2B77E6FF,IMPHASH=917C52799ED8B97E2927F898C7465E04falsetrue 23542300x80000000000000006359031Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.165{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\removed-filesMD5=FEFBFAC37461BD30E05F5BEFAA1F7705,SHA256=52523DA24287C4D459131C2E4818A713A732765E06E9BBBA1CF353888BA34F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359030Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.163{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB036FC36BEB7C59F9C57B77DCAFD2E2,SHA256=10E6DB1128A663926214EF2D6C0CCDD024A7AE02E9B1BED06F4EC6888505719C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006359029Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.163{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\softokn3.dll2021-03-25 16:54:08.292 23542300x80000000000000006359028Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.163{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\softokn3.dllMD5=808F159384F69FE08920742561FE6404,SHA256=74EB84278C2D607A994E9CE4718225DBCA542A45D4A8054CBEBFB50D06E2A84C,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6falsetrue 11241100x80000000000000006359027Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.079{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\uninstall\helper.exe2021-03-25 16:54:08.303 23542300x80000000000000006359026Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.079{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\uninstall\helper.exeMD5=65E4C14E2AD9112C78A706CF65904AA6,SHA256=F8C071072BA245E719211F886619AD4745C280B2B2F43C2F4AA7A8773EAEAA4D,IMPHASH=E2A592076B17EF8BFB48B7E03965A3FCfalsetrue 11241100x80000000000000006359025Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.064{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updater.exe2021-03-25 16:54:08.307 23542300x80000000000000006359024Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.064{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updater.exeMD5=0CAAD3A6E62C8DEAFC160569FDB38EFA,SHA256=8D1FCBBF1872669F0DB776C643022C55DF92C2AD8CA6F17AB920E93539A5029B,IMPHASH=6BB751462A4674EA8871D6EED6988FCCfalsetrue 10341000x80000000000000006359023Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359022Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359021Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359020Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x8000000000000000860476Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:06.650{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55002-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000006359095Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.620{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B0B420C2EBF4311F95CE48BB3FEF77,SHA256=2E8CFD14E2C8884D144FF22AE1BE0E9B0479C9FEA50148A29E3F6C8902B74E52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359094Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359093Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359092Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359091Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359090Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.371{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\0.patchMD5=796559DFF422C76D1D3330368EB5AF61,SHA256=A11F54B5079384388182856AD81B257987352496B4C119E6C6C4A4E54F4E29ED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006359089Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:13.369{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\AccessibleHandler.dll2021-03-25 16:54:08.103 23542300x80000000000000006359088Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.369{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\AccessibleHandler.dllMD5=35CA6C59BFC8AEE6E9562BE9436D9E44,SHA256=1A556F809F4BA458C728381C9E692DC3398A3A9D7E9EFCB795356C0F294696C7,IMPHASH=E1BA3B55EB32E4C178FAE6DDB8B06FF9falsetrue 11241100x80000000000000006359087Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:13.366{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\AccessibleMarshal.dll2021-03-25 16:54:08.107 23542300x80000000000000006359086Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.366{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\AccessibleMarshal.dllMD5=90601C0711B2C86773FE74DF00FB774F,SHA256=8E347DEBC4BAFFEF769B0D073455621369DE3538D301130982A20F4C6AA2F339,IMPHASH=905B6802FDC25413D4662E31BCBD590Efalsetrue 11241100x80000000000000006359085Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:13.364{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\IA2Marshal.dll2021-03-25 16:54:08.239 23542300x80000000000000006359084Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.364{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\IA2Marshal.dllMD5=856489B65C04918AE5642EE5FC732D86,SHA256=40782891EB7B08B18140EF6C4B353B87797DAD833222FDE7699B5FF76F4B69B3,IMPHASH=D75684F47087070B549E67B7E925047Dfalsetrue 23542300x80000000000000006359083Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.362{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\application.iniMD5=843BD3168C7B7302C06991BACC54C0EE,SHA256=E4DACC1106985A2DB60FC77CC890B46D269F09E25F082FE914AC5C8F24B09A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359082Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.358{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\browser\features\formautofill@mozilla.org.xpiMD5=DBC664E697D6AA2E34C6D0112196BB20,SHA256=9019F0D74F67A177E375D503E88444946A295DAFAE886020E144175A2DCB48BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359081Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.346{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\browser\features\webcompat@mozilla.org.xpiMD5=F1ED4A0A68B2A39EBCCA0473F6D1C4B7,SHA256=9B05F825BB44C82501DED2B5E963F53C5EFFE97D8193581C0AA5FD5BCEED48F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359080Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.254{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\browser\omni.jaMD5=523DEEC4E38AA02D4ECEE8D4F97FAFAA,SHA256=BEA04C6FE3800B4D9A8CC97A51F6AD258E3BA07ECAC5CE88CF801FBD37D278DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860478Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:13.168{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB6852225CE0F2E880DDD3F5BAA7783,SHA256=B03586B36DA57550FD794B430FFE430AF6F3A6302FE2D675DF63EFA2243CEBD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359132Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.995{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\32.patchMD5=B195F8AE970D1438BE9C5408586B039C,SHA256=CDEE27E82543F76A905FEF58C7104EA60F293E8224AEBC98E04153F8BB493690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359131Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.993{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\31.patchMD5=D2BCB0FBEEB3D09FA772517C005A6C25,SHA256=583A9F7AE13685819169B5D18EB586D79AAB361469617A589C93B337DD32E8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359130Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.630{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\30.patchMD5=06EA4C802F341488EE537BD520B1F330,SHA256=53088B6902152F4C8FE2E406C03A4D457F65BDB711381130EDDC9F1C37892984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359129Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.628{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\3.patchMD5=4C6533339B7C411BB977C3A206A1039E,SHA256=9A6699BF2EA2A975DD5B24E59947822125152F88EA3353434344AC6BA91DEF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359128Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.620{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\29.patchMD5=D9FFC4A2B52DB9CA29C69E153EF178A1,SHA256=0670D469A3D50DCD15206B9378E3A344E937DAF1E1388C97137EB6AE7EE0EF8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359127Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.614{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\28.patchMD5=C51670100134DA51C8BA1987A1F35BBE,SHA256=05F82F1AA3DA02BBF54A7136837834951DBB4E2322D1EA348184EC35A38E9A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359126Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.609{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\27.patchMD5=3C5F871C6E4A276BF665A7030F9D882E,SHA256=79E6D5A9AA30A7A9B8CC794586549B5263A4BD3400C89C70FF2B0F900F513991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359125Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.608{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\26.patchMD5=3591F4DAC2293DC313AF305C170A5B5D,SHA256=926CC1DE9617E5B9F35C0CE8698A5EB9442ECF03A85116A803766B2980A322A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359124Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.601{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\25.patchMD5=F7C613A5294FDDCBCBD7F6E54A80278C,SHA256=E728BEA647DB01D94743C922FE9CF41824FCB1AF9E7C16A02AA927DC8805DC0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359123Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.600{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\24.patchMD5=B50868B07F9A01351F4CD6BCD95AE630,SHA256=7873F242D72CDF772688F297AC163F1FC6FD957548C4153FB03633C20924E3F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359122Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.599{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\23.patchMD5=6F38B6EBB19241C0908DEBBDB6D5DD9E,SHA256=2FE1A6BC71EA0C9AD4DE053EA35707112BFA6B12416697D339C3333CFD720DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359121Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.598{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\22.patchMD5=7D5EFF8FEDD90CCE620194658CC00D57,SHA256=8E7B3AC6033F7149799FD4C3C0EAA4D7F0140645D15F02126A2C5C37FA14DC83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359120Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.597{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\21.patchMD5=372B35B485677BEAE1026F97C492DEDE,SHA256=0FADDBBA9BAB7C55D8F9D4C7155DCD5D61CC38AC22C5182161437044330C562D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359119Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359118Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359117Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359116Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359115Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.561{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\20.patchMD5=78E3E0F58BE7DF15C7AFFB0CAF0AD567,SHA256=0A4990D9B6067F4E932FE524D059E68925633E5CBC13778ABA420AAB282E4380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359114Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.558{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\2.patchMD5=49BEE4AD5F39EE6556C84F0608245199,SHA256=DB1E1F88CF87F36133B271DDECC50A5FADAEF27E3240DA3FE5D9894A2597ABC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359113Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.554{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\19.patchMD5=F68CD7D1CE5054E60A7508A4B74EA1D2,SHA256=36A1D71C8D8EBD6EA5BBF4AB715C4F02CAABD7184B44464308E274C00170E464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359112Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.552{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\18.patchMD5=8D53D708ADDDD8CC17631F89CC11879F,SHA256=A26AC19D96B30E9112B03F72979B8E82D4F720B11F47D955B4ECD4A1B3E39556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359111Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.547{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\17.patchMD5=9CE69F5E4FAC42295B5798B5D53464F2,SHA256=EA00D2B91D243F7D55DDC7128D97E31757362B9FA97B2ADCF488E799C3B34A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359110Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.532{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\16.patchMD5=653607270775FD4E70D9A70938AFB2E9,SHA256=D928923FF4B34FFA2C308A785479335B5518117C375CE5D11167D1127E5F3179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359109Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.530{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\15.patchMD5=4594F0EA34CE1A48974D06CAA06E3853,SHA256=87A819D2EFE4B4B8B4B99A7FF87E22301C4297427674A63CE509EE2EA42DDF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359108Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.524{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\14.patchMD5=C534BCB0B860FF2F0117E3670795F394,SHA256=E2C1A1CDA52D8922A766ACCD0A17B241E3A73F1E7ED208E7FF26EFCA9155CD36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359107Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.507{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\13.patchMD5=F2959668F0C1C9DE35E983C33B449AB7,SHA256=5A59BC81D045BC13135B473D8131AA1CB430C8476F14AE46F0532A25FB12B442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359106Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.503{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\12.patchMD5=FC78B0AF88649E53D5D6B4759C522FD6,SHA256=7FD62E65357BA07C9E95DFF3233976B2E94A1D7DF9633A7DD89639A4895826B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359105Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.291{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\11.patchMD5=DDABED440CA7016F9E0197633095DBAE,SHA256=95A68EEF36C75728A79308D88731E41E8E342A4B0978C64839C8C9183CD71AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359104Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.288{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\10.patchMD5=35AF109E34B40A33BC7525DDD55D265C,SHA256=2525683E8B7AD56C86501CE2CB7199AD08192A1E28C410ADDA079470F3DE5AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359103Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.286{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\1.patchMD5=55FCFDBB25DA4E1871DD9AEF6BE9D441,SHA256=DB6C21865B495F6D00CEECF97E3876F5743BACDD69CCDA4EAF545624BFAC1C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359102Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.285{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E147892E724E81E0923F7CBB1B43BF,SHA256=9EE8068794832FBA825E8DE9DD026457AD176828C0BFB2613ABFFA0BE6C6DC2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860479Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:14.184{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BDB9F522399531E8A40668CE08ECFC,SHA256=87279465B6BB5B41DBCA1D5E9C018B1A5C5BA4AA0DFF025A68E5C0800D2BBAF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359101Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.133{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-F3F4-6058-4510-00000000AE01}404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359100Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.133{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-F3F4-6058-4510-00000000AE01}404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359099Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.129{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-F3F4-6058-4610-00000000AE01}668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359098Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.129{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-F3F4-6058-4610-00000000AE01}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359097Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.129{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-F3F4-6058-4610-00000000AE01}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359096Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.128{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-F3F4-6058-4610-00000000AE01}668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359168Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.655{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138358927B8CE0D6A6172A16CF8A1AEE,SHA256=AC91A5B73B7B94BC54C0991882E16CAFE3CB139D90DDD0EFA6039258E9F385AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359167Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359166Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359165Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359164Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359163Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.348{896A638B-C037-605C-8C89-00000000AE01}6136ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\saved-telemetry-pings\cef37f03-1044-4461-bc0a-23a4d76972eeMD5=F75C3ECF5EE0B6C212D9304337B2661F,SHA256=9C195AF18D347FF2F488B494A777A0E5358855230572E009AB6004A493F794E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860480Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:15.215{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D48816209890DC4D90B34116C0C13B,SHA256=777772015E20AD0BFDE8D9EBC0ACAA6A47EC2D7B7E04CD7BC469CC1FB00E077F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359162Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.263{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FFE46029C222C42FC76321D00385560,SHA256=DA0272FD6FDFE8D80D1253E3FF9F796364E6DB36411AFE725A2AB7E8855D1DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359161Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.262{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2718FB584A77E5F32728106353B8EA2,SHA256=06BA73CB7DF6188167AF57699B86603F8ACD169C331F1C696E01823F41A1CF81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359160Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.200{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359159Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.182{896A638B-B5C8-6058-0B00-00000000AE01}612820C:\Windows\system32\lsass.exe{896A638B-C037-605C-8C89-00000000AE01}6136C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359158Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.182{896A638B-B5C8-6058-0B00-00000000AE01}612820C:\Windows\system32\lsass.exe{896A638B-C037-605C-8C89-00000000AE01}6136C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359157Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.134{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-C037-605C-8D89-00000000AE01}1160C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359156Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.133{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C037-605C-8D89-00000000AE01}1160C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359155Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.130{896A638B-C037-605C-8D89-00000000AE01}11606152C:\Windows\system32\conhost.exe{896A638B-C037-605C-8C89-00000000AE01}6136C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359154Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.123{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C037-605C-8D89-00000000AE01}1160C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359153Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.118{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359152Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.118{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359151Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.118{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359150Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.118{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359149Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.118{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-C037-605C-8C89-00000000AE01}6136C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359148Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.118{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C037-605C-8C89-00000000AE01}6136C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+cbd50f|C:\Program Files\Mozilla Firefox\xul.dll+cbd325|C:\Program Files\Mozilla Firefox\xul.dll+cbd371|C:\Program Files\Mozilla Firefox\xul.dll+4cf5162|C:\Program Files\Mozilla Firefox\xul.dll+13d13e2|C:\Program Files\Mozilla Firefox\xul.dll+13d323a|C:\Program Files\Mozilla Firefox\xul.dll+119394|C:\Program Files\Mozilla Firefox\xul.dll+3a76398|C:\Program Files\Mozilla Firefox\xul.dll+119800|C:\Program Files\Mozilla Firefox\xul.dll+2e4406|C:\Program Files\Mozilla Firefox\xul.dll+3b3307c|C:\Program Files\Mozilla Firefox\xul.dll+119394|C:\Program Files\Mozilla Firefox\xul.dll+2c876f|C:\Program Files\Mozilla Firefox\xul.dll+13b494f|C:\Program Files\Mozilla Firefox\xul.dll+411cb|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f 154100x80000000000000006359147Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.108{896A638B-C037-605C-8C89-00000000AE01}6136C:\Program Files\Mozilla Firefox\pingsender.exe86.0.1-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/cef37f03-1044-4461-bc0a-23a4d76972ee/update/Firefox/86.0.1/release/20210310152336?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\saved-telemetry-pings\cef37f03-1044-4461-bc0a-23a4d76972eeC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2MediumMD5=DF0602ACE512A03016D000738C41A000,SHA256=F9BECECD2BE7D45A1503F2232E209C6CE4AF2E8B5EAEBD21766C47FFF15C6505,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x80000000000000006359146Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.088{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates\0\update-1.statusMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359145Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.015{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates\0\update.statusMD5=E1E047359086670F55D8E6B7FFCDB951,SHA256=61C1C8CDED1D1A291011FA526F8332D7B515DECF6398F0A31953862C661C88AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359144Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.014{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\update.manifestMD5=D0A9D8E55F4A998DD8D00ABBB0D21F2D,SHA256=4B257EEEB03AD6E98AFB695879C1F0064C95D85C099219332350C212A68FEB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359143Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.013{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\9.patchMD5=E420F6ACFB9B425926327B3611C69F65,SHA256=CA1723EAB0265F7AB5B39C048C5F93996FADFE3C433D73B2ADB13F52A6BF3E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359142Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.013{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\8.patchMD5=686E953AEA76B32F35F4AB1B9F958DD7,SHA256=8A11D03B9A996043555BD6A5608B2AFC20408AB9C095915F0AA9A8C718541B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359141Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.010{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\7.patchMD5=C16FD15E3B5F5DAB34787A6FE381F4D4,SHA256=35EC544F2FA26EF9113DD3961B77B9E7D81E81B70DBAE7B7FE0B66643AB611C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359140Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.009{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\6.patchMD5=65639161FC939C1F25E105DB5A7A4343,SHA256=0B36186D9423FAF0371780D0E869768BFAED73EB1A295854DC8C8C2D2A1D342D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359139Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.008{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\5.patchMD5=D8D8CD76AA487AA018138F13E54E721C,SHA256=4383792FCF0145F55F9592C83E33E5873A5C48AB935E3EB02F1D89C1B9A29A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359138Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.008{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\4.patchMD5=6041149D6C11D8694CC66D3CC056E9AC,SHA256=2AD9EEF1B477A4B06E39D89F00C81752C863E7596B1C37516BE37D6598871121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359137Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.006{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\37.patchMD5=BE283F9F41F7E2E2146CFA652F874940,SHA256=FF295A413122B9094F36D1EEF8F23AED264B5EF861503CC54F1BC43BE6BCFB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359136Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.004{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\36.patchMD5=E1AA666DE05DC20627721DBDC42E59AD,SHA256=81F2A686EF25C8F138374E80A0C998F5B86DD2A317522EC21B92B420B086D6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359135Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.003{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\35.patchMD5=DA10981DEFB7482D97C0D6A7E4468D73,SHA256=BD25EA8802E47A263076F48BDD16A443140462C43CA5F2CE87B620C79EFB88B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359134Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.002{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\34.patchMD5=40BADFF88D46D9760DF7A878DDDE1349,SHA256=D074963A6A6E154C4B2B9B228E0AD26843AD3DB95E823639C409405F419AD4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359133Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.001{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\33.patchMD5=142B38A68E7A22662161669B346B2B3A,SHA256=A0557EEF79AA73321ED0FFC11334A72DA511841934C055B828E1F9C1F3A8B99A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359175Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:16.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359174Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:16.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359173Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:16.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359172Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:16.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006359171Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.754{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1083-false10.0.1.12-8000- 23542300x80000000000000006359170Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:16.355{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F981A7A36D4C57DB544CAEDEBF6A5846,SHA256=6DE4EB1A8F9895A8F6E6865025ED4FC5E3ABA5F7AF8EB51113F1BCBCEF129D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359169Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:16.355{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FFE46029C222C42FC76321D00385560,SHA256=DA0272FD6FDFE8D80D1253E3FF9F796364E6DB36411AFE725A2AB7E8855D1DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860481Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:16.246{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E9509E1ED4E0685BDD9153725C5A9B,SHA256=C12F227ED1DA8FA628CD6910115AD86DE83B8E0F56E6BB1FC287309B896F956D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359186Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.604{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359185Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.604{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359184Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.600{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-FBAD-6058-BF11-00000000AE01}100C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359183Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.600{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-FBAD-6058-BF11-00000000AE01}100C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359182Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.600{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-FBAD-6058-BF11-00000000AE01}100C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359181Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.600{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-FBAD-6058-BF11-00000000AE01}100C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359180Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359179Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359178Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359177Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359176Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.361{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCB9C84AE6CFF435F1DA475E8308267,SHA256=2AE0B2B588BBF76D8148329545014B7225B2FF999314A1385AD553981A687961,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860485Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:12.494{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55003-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860484Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:17.278{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077F14F45AB8795E4914403C2731FAA2,SHA256=35C0424130BA7CA544AFC1D45317DFE29008E8F16DF159FF32EB8999B4806098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860483Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:17.106{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADB49A3A301A908C9D1414FCC383A412,SHA256=03A8B1864AA26531CF06BBF338561C8D49C50B804EB953F1CB81336218625F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860482Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:17.106{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D7793159278806FFAAB108063F9482F,SHA256=0D0C5EA80B21F73F48BE2B5955F7AD10F6A58C7F3FCDF3C38300847B5E2E7BDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359191Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:18.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359190Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:18.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359189Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:18.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359188Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:18.391{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813CC910C3840117E35B29F50A067EF5,SHA256=03CBF1E4A566F3468E154399FF438CAABB925DB2FAC8629B1DD27DE5C7921A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860486Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:18.293{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D177CDA3480F05B9C2BC0DA231B534,SHA256=3AF4479850467870FF6E1FB64F7A48FDD35FD8145C5C900DD11A420DDB290894,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006359187Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.807{00000000-0000-0000-0000-000000000000}6136<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1084-false52.35.57.239ec2-52-35-57-239.us-west-2.compute.amazonaws.com443https 10341000x80000000000000006359197Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:19.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359196Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:19.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359195Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:19.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359194Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:19.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359193Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:19.397{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F4508C380BFCC85A27AA549AB51A1D,SHA256=068A499CFB59654382C3142366B2EC653391302A2410103C5A37BBC914445EB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359192Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:18.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860487Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:19.325{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEACC7CFD9D5F8EF62E73015DC8B6068,SHA256=C9A5638AA17A50CC751C8FA841777884D1787A7D48049C6BCB25D4CF968FB85B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860488Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:20.340{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F22A31F7F2007C9EC2AF0DF07610741,SHA256=C090D811298FAAE17FCB4BC87E94AC49C3E2344B66A9AB95105C43CB3B00385E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359202Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:20.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359201Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:20.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359200Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:20.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359199Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:20.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359198Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:20.417{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFC83B801BABC38BC4B946566211A1C,SHA256=AB8FD666CE06D166A13E5F72162930C08D610D8392D163047F3F9FAB9AD4903E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359209Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:21.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359208Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:21.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359207Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:21.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359206Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:21.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359205Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:21.430{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878E637F88A978FFDDB0861BDBEEFE26,SHA256=5B585B4085C0AF806F989010F57308892FAB0BFB192BB9E0586B9DAFADEA002B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860489Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:21.340{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CD4217372050D8D9710125A83D1151,SHA256=9C3EA724724E628DCA848C5C0A12246438D629A0265CE65343294176EC9C8733,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006359204Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:18.631{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1085-false10.0.1.12-8000- 23542300x80000000000000006359203Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:21.092{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6603F46E87625C9829026BB3051AF5A,SHA256=9C56D01C4830E5622F0EA1939A93B154CDF7D78AB9612288F9033E8317AF8AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359214Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:22.653{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5C8BCDD4EE2D6A2983974F34ACF7A0,SHA256=E039CC162FF0E2FCEFF182B9D3BB42014F308945B7CB7556582C0A8D85E64072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860490Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:22.356{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68F7D5FCF9C66DF01DBF9ED8881DAA2,SHA256=B053359F0BBBC9D3F278E33622D2E2BD617DA68323621349C5818D080B1938FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359213Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:22.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359212Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:22.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359211Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:22.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359210Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:22.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359235Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.666{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA8A44C1DFE49EE3867DC44FD71C2C8,SHA256=DCB17176DD9931E55AFC6729827495209CDF28C7CA525A50121C7E0198E236D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860494Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:18.478{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55004-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860493Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:23.371{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3532C21469AD1547C3FDCA973BAC0F3,SHA256=2AE32606418678DE066D5C0531ECF6B1DFBA8C1AC44EA1FEB6EDE8BCEF166A86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359234Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359233Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359232Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359231Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359230Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.279{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C03F-605C-8F89-00000000AE01}7368C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359229Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.277{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359228Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.277{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359227Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.277{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359226Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.277{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359225Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.277{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C03F-605C-8F89-00000000AE01}7368C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359224Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.276{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C03F-605C-8F89-00000000AE01}7368C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aff30069(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64) 154100x80000000000000006359223Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.267{896A638B-C03F-605C-8F89-00000000AE01}7368C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000006359222Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.257{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C03F-605C-8E89-00000000AE01}4512C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359221Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.255{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359220Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.255{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359219Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.255{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359218Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.255{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359217Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.255{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C03F-605C-8E89-00000000AE01}4512C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359216Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.255{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C03F-605C-8E89-00000000AE01}4512C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aff30069(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64) 154100x80000000000000006359215Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.245{896A638B-C03F-605C-8E89-00000000AE01}4512C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000860492Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:23.137{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=738B4E480FB216770EFC62A51CB3ECC9,SHA256=9456C844C153B9A5988681EFB7CF017ED2DDC130CDA8CE49BDDE7C0D08DB1B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860491Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:23.137{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADB49A3A301A908C9D1414FCC383A412,SHA256=03A8B1864AA26531CF06BBF338561C8D49C50B804EB953F1CB81336218625F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359242Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:24.880{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA4DD6B1AC962CADE1AAB3F7C2D8553,SHA256=1C7DC58B0920FD9B4022C50969C1D0F88B4998E81603948A82AE1A1255346FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860495Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:24.403{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E010F8DD13E292ACF434BD78E36191D9,SHA256=213692AEEFB682CF811EFCD54CEA57AEB048A84C1608FC45AFCAFC40B6638939,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359241Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:24.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359240Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:24.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359239Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:24.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359238Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:24.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359237Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:24.260{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BA10B2F1C576D70A7C6E0556A7C49663,SHA256=0110E47DDB81C78B878AA483220415EEBFBC831933C6FE88643C78FD3ACDDEAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359236Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:24.248{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDA2F94D6FF186F37F144C30D7AE8EA8,SHA256=61B64554FBFFF6C192439E54C84B740FC7E8946A54E4A5677409BD5DF2541467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359247Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:25.886{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21EA98FB587AB527B624B737D8CEC13,SHA256=247F4CBB7DEA8719F051540D17D9DE1BFA5CC82E1CD0F22377704086FEEFFDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860496Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:25.403{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C11EB11B85FA0756F635401241EA1A5,SHA256=05179EC8B522A23BE8A8AB1D5A236A18FEE124FD24FF79D39BCD64A07B4DD699,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359246Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:25.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359245Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:25.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359244Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:25.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359243Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:25.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860497Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:26.465{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98AE60FC8E055BD3420F4D7E76C4091,SHA256=985876C9AC843063D91F37EA64C6EDA15B4090DF095A8F552DEC8E662E8E9C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359253Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:26.890{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D937E0AD4B52B0E9E7026DCA02C190E,SHA256=77E239B879D5B26FFD4C4007AC426E2B412682F7D5BEBC47E9A912D1AA55FE22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359252Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:26.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359251Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:26.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359250Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:26.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359249Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:26.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359248Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:26.240{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61DCB2C7661F4DDF47DA8E0C8FF61850,SHA256=E76E6FF5AEAD3752AEC1E5A4FCB4B35DC5BC25251B646A9EFBD2150B71AD9B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359347Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.899{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B58EB4D7A7B48B18EF857AD777C622,SHA256=B01060A3ABAB49FB0D7FC73C93C32B0082F373E7B2CBCF4EE1BD69C742A4D575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860498Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:27.481{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9953A2DF3E871E218785EAA5C7CE0432,SHA256=985D8696204C1CD5D2C19BB4FD24E806BDB882F98A56E3CE574FE351A898D68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359346Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.651{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7596928A64EDC323C91B544E4A0B09,SHA256=FE5E6712D40C9193EF27940FFE6CE99D478AB8B25A4BF954C740C58039384032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359345Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.607{896A638B-FBAD-6058-BE11-00000000AE01}4492ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=FE7E5F82FEFA55F85B0D6C6D0F9D1C65,SHA256=4DDE3118225D52F5E2F1311BD6A8DBB1907ADD049170DA232C41CD8682A07E6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359344Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359343Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359342Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359341Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 534500x80000000000000006359340Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.573{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp 11241100x80000000000000006359339Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:27.566{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmpC:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc2_decoded.exe2021-03-25 16:54:27.566 10341000x80000000000000006359338Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.559{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359337Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.559{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359336Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.543{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359335Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.541{896A638B-B8DD-6058-9202-00000000AE01}36324636C:\Windows\system32\csrss.exe{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359334Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.541{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359333Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.541{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359332Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.541{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359331Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.540{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359330Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.540{896A638B-C043-605C-9589-00000000AE01}50206208C:\Windows\system32\cmd.exe{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359329Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.541{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp -decode C:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc2.txt C:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc2_decoded.exe C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-C043-605C-9589-00000000AE01}5020C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "copy %windir%\system32\certutil.exe %temp%\tcm.tmp & %temp%\tcm.tmp -encode C:\Windows\System32\calc.exe %temp%\T1140_calc2.txt & %temp%\tcm.tmp -decode %temp%\T1140_calc2.txt %temp%\T1140_calc2_decoded.exe" 534500x80000000000000006359328Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.538{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp 11241100x80000000000000006359327Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.530{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmpC:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc2.txt2021-03-25 16:54:27.530 10341000x80000000000000006359326Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.523{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359325Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.523{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359324Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.506{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359323Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.503{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359322Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.503{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359321Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.503{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359320Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.502{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359319Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.502{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359318Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.502{896A638B-C043-605C-9589-00000000AE01}50206208C:\Windows\system32\cmd.exe{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359317Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.491{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp -encode C:\Windows\System32\calc.exe C:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc2.txt C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-C043-605C-9589-00000000AE01}5020C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "copy %windir%\system32\certutil.exe %temp%\tcm.tmp & %temp%\tcm.tmp -encode C:\Windows\System32\calc.exe %temp%\T1140_calc2.txt & %temp%\tcm.tmp -decode %temp%\T1140_calc2.txt %temp%\T1140_calc2_decoded.exe" 10341000x80000000000000006359316Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.473{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9589-00000000AE01}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359315Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.472{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C043-605C-9589-00000000AE01}5020C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA6D95C033) 10341000x80000000000000006359314Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.470{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359313Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.470{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359312Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.470{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359311Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.470{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359310Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.470{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-C043-605C-9589-00000000AE01}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359309Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.469{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C043-605C-9589-00000000AE01}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af43b9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3aaaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b349(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3e2d74(wow64) 154100x80000000000000006359308Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.461{896A638B-C043-605C-9589-00000000AE01}5020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "copy %%windir%%\system32\certutil.exe %%temp%%\tcm.tmp & %%temp%%\tcm.tmp -encode C:\Windows\System32\calc.exe %%temp%%\T1140_calc2.txt & %%temp%%\tcm.tmp -decode %%temp%%\T1140_calc2.txt %%temp%%\T1140_calc2_decoded.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000006359307Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.460{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-25 16:54:27.301 11241100x80000000000000006359306Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.459{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-25 16:54:27.300 354300x80000000000000006359305Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.761{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1086-false10.0.1.12-8000- 23542300x80000000000000006359304Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.426{896A638B-FBAD-6058-BE11-00000000AE01}4492ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=CC9B05A31AB019E6AC18A7664CC64CC8,SHA256=396C3F67B122B91A91598FA91FBB71F4BD9B24619E89593667F7097F52E18786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359303Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.391{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14EFF6366ED3FC2A917FF5987B9E3746,SHA256=7951B138FCD8981D5FA14374CFF9A5BA76FC2A646C2D46EDC6C9BEF3E4B3FF86,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000006359302Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:27.385{896A638B-C043-605C-9489-00000000AE01}7124C:\Windows\system32\certutil.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc_decoded.exe2021-03-25 16:54:27.384 10341000x80000000000000006359301Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.378{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-C043-605C-9489-00000000AE01}7124C:\Windows\system32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359300Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.378{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C043-605C-9489-00000000AE01}7124C:\Windows\system32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359299Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.362{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9489-00000000AE01}7124C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359298Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.361{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359297Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.361{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359296Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.361{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359295Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.361{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359294Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.361{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C043-605C-9489-00000000AE01}7124C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359293Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.361{896A638B-C043-605C-9289-00000000AE01}54647612C:\Windows\system32\cmd.exe{896A638B-C043-605C-9489-00000000AE01}7124C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359292Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.361{896A638B-C043-605C-9489-00000000AE01}7124C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -decode C:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc.txt C:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc_decoded.exe C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-C043-605C-9289-00000000AE01}5464C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "certutil -encode C:\Windows\System32\calc.exe %temp%\T1140_calc.txt & certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe" 11241100x80000000000000006359291Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.350{896A638B-C043-605C-9389-00000000AE01}8088C:\Windows\system32\certutil.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc.txt2021-03-25 16:54:27.350 10341000x80000000000000006359290Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.342{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-C043-605C-9389-00000000AE01}8088C:\Windows\system32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359289Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.342{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C043-605C-9389-00000000AE01}8088C:\Windows\system32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359288Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.325{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9389-00000000AE01}8088C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359287Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.323{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359286Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.323{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359285Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.322{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359284Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.322{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359283Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.322{896A638B-B8DD-6058-9202-00000000AE01}36324636C:\Windows\system32\csrss.exe{896A638B-C043-605C-9389-00000000AE01}8088C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359282Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.322{896A638B-C043-605C-9289-00000000AE01}54647612C:\Windows\system32\cmd.exe{896A638B-C043-605C-9389-00000000AE01}8088C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359281Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.322{896A638B-C043-605C-9389-00000000AE01}8088C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -encode C:\Windows\System32\calc.exe C:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc.txt C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-C043-605C-9289-00000000AE01}5464C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "certutil -encode C:\Windows\System32\calc.exe %temp%\T1140_calc.txt & certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe" 10341000x80000000000000006359280Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.319{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9289-00000000AE01}5464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359279Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.317{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C043-605C-9289-00000000AE01}5464C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA6D95C033) 10341000x80000000000000006359278Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.315{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359277Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.315{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359276Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.314{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359275Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.314{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359274Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.314{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-C043-605C-9289-00000000AE01}5464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359273Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.314{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C043-605C-9289-00000000AE01}5464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af43b9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3aaaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b349(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3e2d74(wow64) 154100x80000000000000006359272Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.303{896A638B-C043-605C-9289-00000000AE01}5464C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "certutil -encode C:\Windows\System32\calc.exe %%temp%%\T1140_calc.txt & certutil -decode %%temp%%\T1140_calc.txt %%temp%%\T1140_calc_decoded.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000006359271Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.302{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-25 16:54:27.301 11241100x80000000000000006359270Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.301{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-25 16:54:27.300 10341000x80000000000000006359269Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.226{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9189-00000000AE01}5528C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359268Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.224{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359267Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.224{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359266Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.224{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359265Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.224{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359264Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.224{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-C043-605C-9189-00000000AE01}5528C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359263Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.223{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C043-605C-9189-00000000AE01}5528C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aff30069(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64) 154100x80000000000000006359262Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.215{896A638B-C043-605C-9189-00000000AE01}5528C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000006359261Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.207{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9089-00000000AE01}6520C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359260Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.205{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359259Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.205{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359258Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.205{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359257Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.205{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359256Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.204{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-C043-605C-9089-00000000AE01}6520C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359255Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.204{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C043-605C-9089-00000000AE01}6520C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aff30069(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64) 154100x80000000000000006359254Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.195{896A638B-C043-605C-9089-00000000AE01}6520C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000006359359Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.921{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBF586EE6CCFAAD3865C6D9F35EC862,SHA256=AA50B13AC2CAF591B4BB705B7AD0186103E08EF05E41B11387661FC98D32B7D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860501Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:28.496{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C5410FCFD9D76BD41CFA6D22E0CB3E,SHA256=C4EAC1ECE596E86F617CA97D024D6412DF188199B55575E9A31C0370789AB356,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359358Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.866{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359357Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.866{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359356Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.860{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359355Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.860{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359354Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.860{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359353Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359352Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359351Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359350Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359349Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.427{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A376F90D8BE82906E72A1CA4DB7F860E,SHA256=48EAD3B649E33BA5DA98D1EA2E916F71A53BFD350F21D788B6972CED2C20B232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359348Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.205{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8636AF7AB6DD4A8E244A17759891FF83,SHA256=ACFEE138A11E4448A4815A7097EA981AD5576134F0896B04D5078094204C9850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860500Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:28.137{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01ABE7083582EA776533F063B50C5CAD,SHA256=F733CC451341D6B251B49B037B908A5A74EC932E588C8B719BA2BBC52F15F638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860499Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:28.137{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=738B4E480FB216770EFC62A51CB3ECC9,SHA256=9456C844C153B9A5988681EFB7CF017ED2DDC130CDA8CE49BDDE7C0D08DB1B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359364Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:29.933{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418FD5DBB246F7469C50FE467DE6C099,SHA256=5FADE3417BA0E86E87A38177AFCFFB2A183CDE754DEE5D4D9323C524CD86BA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860503Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:29.512{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F38D91CAE608EE60FA63274501BDF688,SHA256=AFA816338EBCCBAA98DB17D5648E199647BB3D3398BDBCE2456B1287F6941B05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359363Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:29.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359362Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:29.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359361Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:29.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359360Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:29.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x8000000000000000860502Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:23.525{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55005-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000006359387Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.994{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359386Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.992{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359385Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.990{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359384Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.990{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359383Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.990{896A638B-B5C8-6058-0500-00000000AE01}396464C:\Windows\system32\csrss.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359382Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.990{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359381Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.990{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359380Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.989{896A638B-C046-605C-9889-00000000AE01}65644400C:\Windows\system32\wbem\wmiprvse.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000006359379Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.990{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exe"C:\Windows\System32\certutil.exe" -decodehex C:\certutil\encodedhex_clop.txt C:\certutil\clop_decode.exeC:\Windows\system32\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000006359378Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.987{896A638B-B5C8-6058-0B00-00000000AE01}612820C:\Windows\system32\lsass.exe{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359377Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.986{896A638B-B5C8-6058-0B00-00000000AE01}612820C:\Windows\system32\lsass.exe{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359376Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.978{896A638B-B5CB-6058-1600-00000000AE01}13087488C:\Windows\System32\svchost.exe{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359375Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.970{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359374Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.960{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359373Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.959{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359372Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.947{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359371Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.947{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359370Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.946{896A638B-B5C8-6058-0B00-00000000AE01}612820C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359369Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.938{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BA2835152FE08030B00BEC2EC15AFB,SHA256=8DC824A7669938BCE414C07ED83346BB05091B6E736187E2B1D7DA06FF2093B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860504Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:30.528{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0A65ED5C1DD21391F98A3C13F8FE0F,SHA256=BB82658EA40AD7179F9E06146B468B5616EA6D78E1085CFEEFF023A74A2A757C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359368Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359367Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359366Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359365Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860505Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:31.574{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7720EAD3613A67335724B1BCEECAE743,SHA256=7113A5156A5AA30D84819E1D646E5002AC528D2B82F8059BC738F9658713F367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359417Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.995{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC53C68A54D3A7F070A4F7E04041B059,SHA256=39E0C4F40CA6827CEFCC6C327888E7C7ECB2337F112A64685C0D138DBF84A58C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359416Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.958{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E31FA7761296C3C0008880115656FC5C,SHA256=B9307ABA6FA6D21C7E87B184662BA393232337420A4B6354C5D29367B0159EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359415Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.942{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ECF0529FB6919B6234BF3103C1CFF18B,SHA256=C9DEE34737D55648114D720F3C721FD57571464B38B131F063F436730934DE9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359414Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359413Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359412Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359411Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359410Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.129{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359409Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.129{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359408Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.123{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359407Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.123{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359406Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.123{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359405Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.042{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359404Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.042{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359403Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.022{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359402Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.022{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359401Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.021{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359400Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.020{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359399Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.019{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359398Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.015{896A638B-AD63-605C-1987-00000000AE01}78486924C:\Windows\explorer.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359397Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.015{896A638B-AD63-605C-1987-00000000AE01}78486924C:\Windows\explorer.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359396Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.014{896A638B-AD63-605C-1987-00000000AE01}78486924C:\Windows\explorer.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359395Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.014{896A638B-AD63-605C-1987-00000000AE01}78486924C:\Windows\explorer.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359394Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.014{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359393Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.013{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359392Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.013{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359391Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.013{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359390Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.006{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359389Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.006{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359388Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.002{896A638B-C046-605C-9A89-00000000AE01}19763336C:\Windows\system32\conhost.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359423Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:32.969{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D5A020F372769EC5A0B8353AE66112,SHA256=3C0AB485C54B68B1331D82B5EC1994564F1BAC6349D50A2C22A83973BC1932A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860506Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:32.590{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAE54873FAFFDA24BC7AF202472832C,SHA256=E37F436CAAD82E1E03FB42AA00259AA8DCD4A233396A665844940A2AC374EA09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359422Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:32.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359421Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:32.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359420Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:32.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359419Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:32.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006359418Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:29.640{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1087-false10.0.1.12-8000- 23542300x80000000000000006359437Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.991{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDA1BC2C292E28F3F0343CC9F9BB4FE,SHA256=56A026E432E9D29D546D5F5F5D63F6B9A24C13EA46B36E9B0FC7531C00A8D73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860509Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:33.606{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468F8410D5783BEE7A9566880E61AD5A,SHA256=E707B21B9AF481E8C26623E8DB9391E2C34A42E4F9DAC91A83AF4632BD2E8F01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359436Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.582{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359435Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.582{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359434Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.582{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359433Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.582{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359432Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.508{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C049-605C-9B89-00000000AE01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359431Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.506{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359430Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.506{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359429Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.506{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359428Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.506{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359427Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.506{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-C049-605C-9B89-00000000AE01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359426Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.505{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C049-605C-9B89-00000000AE01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359425Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.497{896A638B-C049-605C-9B89-00000000AE01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000006359424Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.340{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local49369- 23542300x8000000000000000860508Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:33.184{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A839500CA160DE8291405C06541266CB,SHA256=C344C4C3CECD1FEE5DA557B358285B169380BA7251C65A20F60DB6AE7535C24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860507Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:33.184{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01ABE7083582EA776533F063B50C5CAD,SHA256=F733CC451341D6B251B49B037B908A5A74EC932E588C8B719BA2BBC52F15F638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860511Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:34.621{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D3F2E8FA9C9C2A26B7217A71B16AF7,SHA256=6BAA8DD8CDD5FBA02E05D68C2C98457461CE5C5E6640C82378CD32652319E6C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359459Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.717{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C04A-605C-9D89-00000000AE01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359458Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.716{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359457Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.716{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359456Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.715{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359455Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.715{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359454Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.715{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-C04A-605C-9D89-00000000AE01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359453Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.715{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C04A-605C-9D89-00000000AE01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359452Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.707{896A638B-C04A-605C-9D89-00000000AE01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000006359451Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.692{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27CE3776C43D4B71B665E1DBE1E31F30,SHA256=4474EC8FA380D72F2BEF4740F53B57971F6F8F6465BABAFD5787F66AEE47436F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359450Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.583{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359449Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.583{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359448Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.583{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359447Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.583{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359446Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.193{896A638B-C04A-605C-9C89-00000000AE01}15247404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359445Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.040{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C04A-605C-9C89-00000000AE01}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359444Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.039{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359443Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.039{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359442Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.038{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359441Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.038{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359440Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.038{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-C04A-605C-9C89-00000000AE01}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359439Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.038{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C04A-605C-9C89-00000000AE01}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359438Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.029{896A638B-C04A-605C-9C89-00000000AE01}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000860510Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:28.541{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55006-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860512Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:35.652{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BE43253DA0AF8C80E40ACA5567085A,SHA256=86078FD11D7451D4883592730BCFE3AA724766C18AFF82C10B09DFFAC523F90F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359465Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:35.723{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=068C22BE7FDD3700E46A62329DE68FF5,SHA256=40AA6F252CC6FCCDBBA043550EC301952ABA0688BA3E64428C8176A47D49C225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359464Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:35.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359463Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:35.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359462Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:35.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359461Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:35.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359460Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:35.001{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855C8C0F8B2D4DF8FE3457AB0B41513A,SHA256=9E3A49AF57E40E7ADA87D85A090985775D6146018520CC435A02B11349B67E14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860513Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:36.668{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3382A00ADE86F62D153E6234C8959B6,SHA256=A45ACC17759BFCDC0638680471653D519B3B49A6A9D3E081FFB6ADCF63567E85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359470Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:36.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359469Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:36.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359468Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:36.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359467Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:36.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359466Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:36.006{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBFEE8A68D499C142E8711CA213F932,SHA256=69FBDCFD1A1F8AA386C063A903B7DC2BB78ECED62761FA617D3A92605FAA0287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860514Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:37.668{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19E93E707397CD192BBD249618B03FC,SHA256=84E16FE13DCCE408AEEA1A13AA24BD65D294C1F0DEF96D6A9FDC1CADA886B6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359477Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:37.666{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7336439D3FDA545629DEC1BDAE9D5283,SHA256=847BABEF77D70FE6810DA4A9678CEE9A33EACE26C9EF29522B7A7ED9DEF649C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359476Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:37.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359475Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:37.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359474Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:37.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359473Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:37.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359472Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:37.215{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76383BA1E6A5860469FED99D0BA2A3D3,SHA256=9C81C7F463362512A9DBAD4DD1B84CA480FEEE0495A756636B965884512DD7F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359471Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:37.031{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DA51E0A9422C81BDE344053D8A1BBF,SHA256=E89C823984AB78B7EF789FE20435C70A0F5A6E4294AF672F3F1B47CB119A07F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860515Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:38.699{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DACFCD3E5AFDE0FB463DE85096AD0C,SHA256=81BA875909704274E3DA825A9EED4E5C6710A14D86E58B3305EC4CE5B42161D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359484Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:38.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359483Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:38.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359482Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:38.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359481Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:38.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006359480Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:35.565{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local51078- 354300x80000000000000006359479Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.772{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1088-false10.0.1.12-8000- 23542300x80000000000000006359478Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:38.042{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E233F9BD6BDF249F63883287834A5849,SHA256=9040BEF677C3244C6FD8208984D7A369C1D7B4158B424FE1D149B3849708DA55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860519Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:39.715{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35FCC2A8C69001ECDF72608CED25AA68,SHA256=1590972DBB716845BF2155256FD1F9E975C513DCBADB4ECC9D8CA4C43E8E5233,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359521Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.831{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359520Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.831{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359519Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.813{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359518Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.813{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359517Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.813{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359516Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.803{896A638B-B5CB-6058-1600-00000000AE01}13084668C:\Windows\System32\svchost.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359515Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.803{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359514Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.786{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359513Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.785{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359512Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.785{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359511Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.784{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-C04F-605C-9F89-00000000AE01}7200C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359510Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.783{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-C04F-605C-9F89-00000000AE01}7200C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359509Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.778{896A638B-AD63-605C-1987-00000000AE01}78486924C:\Windows\explorer.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359508Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.778{896A638B-AD63-605C-1987-00000000AE01}78486924C:\Windows\explorer.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359507Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.778{896A638B-AD63-605C-1987-00000000AE01}78486924C:\Windows\explorer.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359506Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.777{896A638B-AD63-605C-1987-00000000AE01}78486924C:\Windows\explorer.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359505Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.777{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-C04F-605C-9F89-00000000AE01}7200C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359504Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.777{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-C04F-605C-9F89-00000000AE01}7200C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359503Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.777{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-C04F-605C-9F89-00000000AE01}7200C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359502Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.776{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-C04F-605C-9F89-00000000AE01}7200C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359501Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.769{896A638B-B5CB-6058-1600-00000000AE01}13084668C:\Windows\System32\svchost.exe{896A638B-C04F-605C-9F89-00000000AE01}7200C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359500Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.769{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C04F-605C-9F89-00000000AE01}7200C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359499Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.765{896A638B-C04F-605C-9F89-00000000AE01}72007936C:\Windows\system32\conhost.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359498Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.756{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-C04F-605C-9F89-00000000AE01}7200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359497Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.754{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359496Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.752{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359495Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.752{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359494Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.752{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359493Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.751{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359492Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.751{896A638B-B5C8-6058-0500-00000000AE01}396464C:\Windows\system32\csrss.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359491Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.751{896A638B-C046-605C-9889-00000000AE01}65644400C:\Windows\system32\wbem\wmiprvse.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000006359490Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.751{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exe"C:\Windows\System32\certutil.exe" —decode C:\certutil\encode_clop.txt C:\certutil\orig2.exeC:\Windows\system32\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000006359489Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359488Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359487Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359486Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359485Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.272{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1654CC81495A5F80954ADA5CBE75E57,SHA256=CB1D16FDEF6052093E77F317741DA94544D25BA635443201B7267B603E25483A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860518Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:34.556{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55007-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860517Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:39.199{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAF26EA822C864987603E99D8BAA16E6,SHA256=6164F670DA94BFF07CE9C0BA98ACE60F470F47E827794E8684DA700B2AB20FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860516Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:39.199{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A839500CA160DE8291405C06541266CB,SHA256=C344C4C3CECD1FEE5DA557B358285B169380BA7251C65A20F60DB6AE7535C24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860520Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:40.746{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC01A5F818BA434FFF8CC132AB9F29E,SHA256=0A7C49165952EFE332072E8A280C6E6A3FB646F36979258F70285F4E19D095D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359528Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:40.776{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D58392ED3DBF05333E2D7EE80CC58487,SHA256=DAE7A7144AA9857ABAB707E16228756B62741EDB9AF40D7775143694D5F86600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359527Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:40.751{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B5D05931BAA76D307165210BE726B1D7,SHA256=8F11D4EDB444B204925DAF0ECE842EF59CC1A92799C578DB29588BBDDFE1AB29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359526Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:40.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359525Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:40.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359524Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:40.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359523Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:40.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359522Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:40.329{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF93D0E986AF0C4BB17E61A2DBD3DEDE,SHA256=51460AF4AE710F1E5AA88280FF7901D0CCD5A61AEE753D5167093BB14FF68DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860521Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:41.762{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E6CE0AFF6CAF6260B0CBBDAC274546,SHA256=EF87CF8BABA66C9E62949F8B501BB4BFBD4D7DABFAC23214D6C6A5844448FA12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359533Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:41.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359532Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:41.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359531Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:41.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359530Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:41.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359529Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:41.349{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E525E521FB91BA60CCD18DA97DF1C25,SHA256=BA7A3D5D39E0B4CEF834691442208DA8936A21869FB2D47AF1F1E755D8F89721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860523Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:42.793{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD743885D83B008B9D4059769CC5A1C,SHA256=B0F4B3CC51347C27EE9F10BE5B725B1874AF6B30592883F39DF78ED3A524A168,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359538Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:42.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359537Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:42.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359536Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:42.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359535Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:42.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359534Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:42.361{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE99477AF8C9DE0617623F0779AEA90A,SHA256=60067ED5AB56A513AC33664DDEAA4477B345448A3D83D122DF8242FC0C35FCFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860522Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:42.168{BFB545BB-B8FB-6058-A200-00000000AF01}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=110595CEF9B4CBA210BA20B2379C084A,SHA256=7D73824D889500B0F5D9723AA57E5770140E65EEF42DCF932AD014F8B83C23F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000860552Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.934{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-C053-605C-9079-00000000AF01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860551Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860550Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860549Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860548Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860547Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860546Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860545Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860544Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.918{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860543Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.918{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860542Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.918{BFB545BB-B864-6058-0500-00000000AF01}628644C:\Windows\system32\csrss.exe{BFB545BB-C053-605C-9079-00000000AF01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000860541Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.918{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-C053-605C-9079-00000000AF01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000860540Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.919{BFB545BB-C053-605C-9079-00000000AF01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000860539Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.809{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1398AB85F51444500C82A7869A9B4524,SHA256=21F8CC9A8EF6B60686620E6BBCDD6413368CC50FE7168F35389678FAACB77022,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359544Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:43.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359543Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:43.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359542Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:43.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359541Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:43.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359540Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:43.375{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1AEB7A3F8CADE4CEC22FDF01D69417,SHA256=9AB96B3E8254C6A664EF4E2255EF7B06472FB145CC635DEADE47D8914C872B36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860538Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:38.571{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55008-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x8000000000000000860537Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.309{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-C053-605C-8F79-00000000AF01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860536Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.309{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860535Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.309{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860534Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.309{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860533Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.293{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860532Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.293{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860531Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.293{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860530Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.293{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860529Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.293{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860528Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.293{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860527Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.293{BFB545BB-B864-6058-0500-00000000AF01}6281076C:\Windows\system32\csrss.exe{BFB545BB-C053-605C-8F79-00000000AF01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000860526Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.293{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-C053-605C-8F79-00000000AF01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000860525Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.294{BFB545BB-C053-605C-8F79-00000000AF01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000860524Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:43.231{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAF26EA822C864987603E99D8BAA16E6,SHA256=6164F670DA94BFF07CE9C0BA98ACE60F470F47E827794E8684DA700B2AB20FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359539Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:43.096{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B825FBA394DF21F476061DB5B5A8C519,SHA256=682A8E2E592B90D1ABA3092BB697BFDBD327BF6CAB544F88B59D5C7D15861947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860568Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.902{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77F48D2966A651BF06AC94743300F93,SHA256=2A8C47E2E742A73A2EAF66E41F4BFABC3C2EE95D700EEBFE4FA6EFD51B4D5117,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359550Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:44.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359549Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:44.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359548Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:44.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359547Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:44.586{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006359546Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:40.649{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1089-false10.0.1.12-8000- 23542300x80000000000000006359545Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:44.390{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C58D0A3BCC48CC22B23FA63430DDDE2,SHA256=E86316CA53F8D0F710FC64BBA0CD98AF7BC27114783C49AD8829ACD0B7B901B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000860567Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.684{BFB545BB-C054-605C-9179-00000000AF01}39281168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860566Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.559{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-C054-605C-9179-00000000AF01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860565Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.559{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860564Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.559{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860563Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.559{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860562Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.559{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860561Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.543{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860560Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.543{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860559Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.543{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860558Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.543{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860557Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.543{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860556Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.543{BFB545BB-B864-6058-0500-00000000AF01}628744C:\Windows\system32\csrss.exe{BFB545BB-C054-605C-9179-00000000AF01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000860555Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.543{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-C054-605C-9179-00000000AF01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000860554Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.544{BFB545BB-C054-605C-9179-00000000AF01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000860553Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:44.356{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A55FB3FB65B2DFB06CA40EC6C4A939B,SHA256=7F092385DB737EC8E23FE810A0CB2C9E618E1E4CA38A42548280D7737AD52A7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359557Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:45.587{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359556Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:45.587{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359555Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:45.587{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359554Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:45.587{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359553Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:45.505{896A638B-FDE4-6058-4A12-00000000AE01}6364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=110595CEF9B4CBA210BA20B2379C084A,SHA256=7D73824D889500B0F5D9723AA57E5770140E65EEF42DCF932AD014F8B83C23F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359552Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:45.399{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D238B835B6A0F9DD1C7D33FF55F56764,SHA256=E97DEE09FC60A44761C6A97FEC567791C1F36E23BDBCDE8D6B024EBBEF7F3B67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860570Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:40.571{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55009-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860569Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:45.574{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D47471C6CACEE6EE91212DDBBC1625C,SHA256=A41353DCE9F82D17C2F27E5D3EF1ECD782847307C13C9056D6F6D6C49E30C05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359551Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:45.343{896A638B-B979-6058-2004-00000000AE01}6812ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6812.xml~RFfc95481.TMPMD5=252339AA827EDF67FD7282E4687C012E,SHA256=F10428D5349ABABEE8EE4C17454B4D3C7AEA375B6D006F94F9BFB3B1DA0ABE8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359563Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:46.587{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359562Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:46.587{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359561Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:46.587{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359560Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:46.587{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359559Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:46.496{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35DD3BED080A0DCBE6E99FFDDA95426D,SHA256=3586927FD70526D0CF552A4D6445045913EC0D1E750E063A7D12C5D988C79067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359558Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:46.410{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E4104B1B5E77C00BCBAF7DBCEA76B9,SHA256=981E58A9593FEDED864077EAA3C09298D76989D99CF5856BA16F13FF2D60A738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860571Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:46.012{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8FA5C4B9650F6FAD06E1DDDC013D23,SHA256=225F6BB6F0654FE39EF1F744B2C40580132F092C4A4EE7B2065BB4CF0C5C2A80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359586Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.890{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C057-605C-A189-00000000AE01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359585Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.888{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359584Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.888{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359583Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.888{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359582Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.888{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359581Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.887{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-C057-605C-A189-00000000AE01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359580Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.887{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C057-605C-A189-00000000AE01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359579Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.879{896A638B-C057-605C-A189-00000000AE01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006359578Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.587{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359577Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.587{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359576Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.587{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359575Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.587{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006359574Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:44.051{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1090-false10.0.1.12-8089- 23542300x80000000000000006359573Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.421{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4D9054D027568647A30A6AAEF74AB1,SHA256=FCE5F5E26C31CCB4D93B8901D2124B3808D695E90AA1860F84D980304CB76BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860572Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:47.043{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31A4F8920A0A04A90B81207A95D49CB,SHA256=B01136CD84999068DBF3D3120C92B899B54D53AFAE5E2B84CD50437E3D8DE12C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359572Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.359{896A638B-C057-605C-A089-00000000AE01}57084504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359571Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.212{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C057-605C-A089-00000000AE01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359570Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.211{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359569Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.210{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359568Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.210{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359567Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.210{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359566Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.210{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-C057-605C-A089-00000000AE01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359565Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.210{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C057-605C-A089-00000000AE01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359564Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:47.199{896A638B-C057-605C-A089-00000000AE01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006359603Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.717{896A638B-C058-605C-A289-00000000AE01}6136344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359602Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359601Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359600Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359599Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359598Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.569{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C058-605C-A289-00000000AE01}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359597Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.567{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359596Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.567{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359595Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.567{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359594Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.567{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359593Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.567{896A638B-B5C8-6058-0500-00000000AE01}396464C:\Windows\system32\csrss.exe{896A638B-C058-605C-A289-00000000AE01}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359592Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.566{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C058-605C-A289-00000000AE01}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359591Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.558{896A638B-C058-605C-A289-00000000AE01}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000006359590Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:45.781{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1091-false10.0.1.12-8000- 23542300x80000000000000006359589Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.450{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D01CC6378A376EEE2740201BD4C9BA,SHA256=22D46C3D81CC9DE4AE441C4CE074130A4BE41B36B5C9F1FE547A4CF51020F476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860573Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:48.059{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0A2863DADA988E1275EE5C0A7EEE06,SHA256=AC27B94E614AE2B3AE88C2F7E9022E79EEE31A5083EB9592C9EBD4DBF3310CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359588Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.213{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29FDC1AFCA9AC7CF488B3F4DDB34C850,SHA256=78137A1F463D1294525259A89E1EF06E6CE35215EA99BB5D1903814173E715A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359587Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.044{896A638B-C057-605C-A189-00000000AE01}49165292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359617Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:49.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359616Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:49.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359615Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:49.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359614Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:49.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359613Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:49.565{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F0C420894CC96930819F28B6CE83F8E,SHA256=ED38151193C212FDD7C7B2AD4BC5BF18EDE4A605DD1E5DFBED07076AB919E490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359612Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:49.459{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07264C33D3147CE0F8960DA3C8AFEDCF,SHA256=C2D5663F348507FCF070C1A28A86AF7E3F65ACCCC7DAA0BCBFE0E7149201D525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860574Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:49.059{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C521B64FE3625B8E5818C4ECE5B36EE8,SHA256=C96946E142373DC53918B718DD29574BE9F7359C73526061DC1713318E855B18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359611Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:49.247{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C059-605C-A389-00000000AE01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359610Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:49.246{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359609Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:49.246{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359608Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:49.245{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359607Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:49.245{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359606Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:49.245{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-C059-605C-A389-00000000AE01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359605Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:49.245{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C059-605C-A389-00000000AE01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359604Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:49.236{896A638B-C059-605C-A389-00000000AE01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000006359623Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:50.592{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8665167D997564D00703E3B29D65CB65,SHA256=C43D9143D716D9F62636627F2EEA01C9F9D66560CD8B6F7BDF2295B4577769A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359622Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:50.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359621Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:50.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359620Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:50.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359619Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:50.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359618Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:50.466{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A489546C6CFEBB55899A330C9374A52C,SHA256=B34573ECD347CF0D37FF9454D2D4762A65F55D54FAF02C1C24409162B2787029,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860577Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:45.618{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55010-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860576Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:50.293{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C75CE20B330082A08CBFE324FC484B78,SHA256=20AD7D28F8670A3D6F7D7606D06F69FF35F77C8CDB77A9B632D337D3890B6034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860575Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:50.184{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DC93D60EA661274D8A6A4E6D5C4023,SHA256=04A64E47DDBDC0A3CCF37818C26174F667E26751BD2ACD905E4310908F663F0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359630Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:51.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359629Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:51.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359628Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:51.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359627Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:51.588{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359626Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:51.498{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5995942CE19BE6DE7E5025D7ACCBE3F4,SHA256=E6989EB88739CA8B162DD882D54F1D587F97F484301F22B514ED0AD2AFC5A0F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000860591Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:51.934{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-C05B-605C-9279-00000000AF01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860590Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:51.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860589Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:51.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860588Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:51.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860587Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:51.918{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860586Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:51.918{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860585Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:51.918{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860584Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:51.918{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860583Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:51.918{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860582Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:51.918{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860581Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:51.918{BFB545BB-B864-6058-0500-00000000AF01}628644C:\Windows\system32\csrss.exe{BFB545BB-C05B-605C-9279-00000000AF01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000860580Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:51.918{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-C05B-605C-9279-00000000AF01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000860579Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:51.919{BFB545BB-C05B-605C-9279-00000000AF01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000860578Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:51.199{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2A970DF03F26A7035771C81E7D8B47,SHA256=7B37145FDA546E743C70F793C3C7F2E757B931401743E89BA556D7F358CBCF36,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006359625Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.145{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1092-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local389ldap 354300x80000000000000006359624Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:48.145{896A638B-B5DB-6058-2A00-00000000AE01}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1092-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local389ldap 10341000x80000000000000006359635Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:52.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359634Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:52.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359633Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:52.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359632Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:52.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359631Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:52.503{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A7B4A162D9AD369871E3E7FDBC512D,SHA256=8295AD9F0A1D1805923175F9E23E3DC193C0D77F90FE632CDBCF2652B8E10455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860608Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.934{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF8CCE6ED7D6DE1427086A8EDE98B4F0,SHA256=58C084866F430A6C1E9F9E3AC4132ADA698DA0ECA2D315C3A3461C770A9B5D86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000860607Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.730{BFB545BB-C05C-605C-9379-00000000AF01}33683944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860606Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.605{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-C05C-605C-9379-00000000AF01}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860605Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.605{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860604Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.605{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860603Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.590{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860602Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.590{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860601Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.590{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860600Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.590{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860599Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.590{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860598Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.590{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860597Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.590{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860596Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.590{BFB545BB-B864-6058-0500-00000000AF01}6281076C:\Windows\system32\csrss.exe{BFB545BB-C05C-605C-9379-00000000AF01}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000860595Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.590{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-C05C-605C-9379-00000000AF01}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000860594Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.591{BFB545BB-C05C-605C-9379-00000000AF01}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000860593Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.215{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F489C665645B4BE15781BC426DF6FCE,SHA256=A30C0D79FE03FD743AF7EA6475DAB82129FEAAFF6F7F5426DA71180A853BE537,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000860592Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:52.074{BFB545BB-C05B-605C-9279-00000000AF01}38402248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359640Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:53.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359639Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:53.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359638Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:53.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359637Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:53.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359636Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:53.507{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDE6AFD569CA96AAEA6C68F1190EF90,SHA256=A1F032DCBE735AE2973B2E76216F4CD23CD09A634425005B622948796EAF4785,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000860636Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.949{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-C05D-605C-9579-00000000AF01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860635Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860634Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860633Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860632Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860631Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860630Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860629Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860628Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860627Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.934{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860626Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.934{BFB545BB-B864-6058-0500-00000000AF01}628644C:\Windows\system32\csrss.exe{BFB545BB-C05D-605C-9579-00000000AF01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000860625Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.934{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-C05D-605C-9579-00000000AF01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000860624Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.934{BFB545BB-C05D-605C-9579-00000000AF01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000860623Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.402{BFB545BB-C05D-605C-9479-00000000AF01}20203496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860622Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.277{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-C05D-605C-9479-00000000AF01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860621Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.277{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860620Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.277{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860619Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.262{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860618Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.262{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860617Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.262{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860616Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.262{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860615Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.262{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860614Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.262{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860613Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.262{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860612Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.262{BFB545BB-B864-6058-0500-00000000AF01}628644C:\Windows\system32\csrss.exe{BFB545BB-C05D-605C-9479-00000000AF01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000860611Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.262{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-C05D-605C-9479-00000000AF01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000860610Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.262{BFB545BB-C05D-605C-9479-00000000AF01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000860609Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:53.230{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6701881C58D744F2D5ACF02730D8C306,SHA256=F181F7A6E542E3F151FFF6F0AF64FCBAFC37F36C877F1912BBBFA4B4D8C41C43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359647Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:54.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359646Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:54.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359645Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:54.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359644Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:54.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359643Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:54.531{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08B8DE951F496E36F8A0EB0580DB2899,SHA256=21BB5D4A383255C69AC22B4CE694808DB512DD5911052AA40A9C57F09EA7F569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860638Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:54.496{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3039409B8F5366826F6152801D01E62,SHA256=410BCCC528AA8D5045B799F6AFA7927B81C1C1A1864F056803634229F2742464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860637Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:54.496{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AFCC9C6DFCE5B2DF95282DF7C239830,SHA256=7FF9EE9B2933121201325A2F15FCEF4B27D1C64E2F73C82FD965F237EBA25C1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006359642Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:51.655{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1093-false10.0.1.12-8000- 23542300x80000000000000006359641Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:54.108{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EA14095C21756D3C43D4B188157B6AA,SHA256=3ADEBBEF3AD5EB403E799A93F44D713764BEE42423E1347657F6F3665A23CC3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860639Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:55.512{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C7AC677DD6A73C4D883B2E426C188F,SHA256=ED6628E189806B05AD2BC5B6A090AE420F179875FB99AD7AF56FCC3B8CF821BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359652Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:55.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359651Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:55.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359650Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:55.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359649Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:55.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359648Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:55.545{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D497083AA7239D7DDC8C23D4D0189133,SHA256=B8DCC3F3A519FC9190E529E6D1D6F26145430FFE27D7EF19DF33CC00D6A0ECC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860642Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:56.668{BFB545BB-B866-6058-1200-00000000AF01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=53EC3B5500DCE1F3B60C5C7A2D8A8092,SHA256=CD175BC1A6B485CC96ED18E00321782A3033310D228DE9C7F93183B87935D37A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860641Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:56.559{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2CD150D4449AFFCCE966F322216316C,SHA256=356F8C5985FCFEF3F11811AA96A731CA3C9A44BE2B43A846B68E6560C6881AD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359657Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:56.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359656Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:56.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359655Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:56.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359654Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:56.589{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359653Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:56.559{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF202708B5FB053BA34C840361AAFB9,SHA256=8A9DA08AD4847CAB50922C12D61191431AE138D25C2D67CD2DAEC51B25A60BD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860640Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:50.680{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55011-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860643Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:57.574{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E56B5F5B204D888461BF2BEFE0E5A7,SHA256=8B12D7B7866F1591849770AD43355B7BC1E4D14A2824C43984F5CE8343FF7021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359662Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:57.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359661Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:57.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359660Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:57.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359659Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:57.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359658Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:57.562{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7664AD67A4B7B94B0A5585DFA9A298FE,SHA256=11A4236E463A13537B8B7FE8E951C6DFF939DA11E6A140261E9B4227E38AA157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860644Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:58.621{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA058ABFFE13C0EF08D78AB5023BCDAB,SHA256=825F7404D19FD77DAD7269CF8AC37681E90EF169224DB001ADA0C2B1188C09F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359667Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:58.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359666Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:58.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359665Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:58.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359664Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:58.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359663Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:58.571{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818166C84F7F4F079B2515F2DA428F22,SHA256=C948C9AFA70160D6399DB19D93914B6DFC121393BF3250A550C16461C669935F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359674Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:59.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359673Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:59.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359672Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:59.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359671Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:59.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359670Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:59.576{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91ABFF34A569704B2FDCDE6B2393D8E5,SHA256=CEEA73216202509FD32AAA43113915AD50C7FAB239272CB7742BD92D49DA1E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860645Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:59.683{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4252FE43B502BA3CBCD6706D4F6CF1,SHA256=6D77041CBD76EECA21249DA0D444294CD74B28848236BA19856A71A022F099B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359669Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:59.288{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD2E241BA2869EC3C5F5B4425BF4E8B1,SHA256=4F4EE5BE1FAE29465D16159D6B18E65F16DB7ACDE9489E3FF4614DEDEEF03110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359668Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:59.287{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=032147B4AE573B4248961E51063D0C24,SHA256=B3F3E3110DFDFD6639F63CA138C25F09C19DD444E723E77D77416781653E50E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359680Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:00.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359679Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:00.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359678Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:00.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359677Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:00.590{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359676Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:00.582{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449A30B2750DC51B7F1065D58C77353E,SHA256=D1A2C0FB371BAAA400498B7303FC3B0BA03C5E9AC4EA01214C676CAB3779BFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860646Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:00.715{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9792F259A495EE518AB6EF70751FEF,SHA256=8DC5E961B0DB46191B1E13A43C06BAD24C6110A5A94A607D1431E685FE137A45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006359675Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:56.785{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1094-false10.0.1.12-8000- 23542300x8000000000000000860650Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:01.730{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075FF0C2D31FDCC8E1C0D1F92808A099,SHA256=148CF8D02EFC2CF67DE3D7D728BD047FBF0B2539D0AE2C39C2A25FECF3E4501E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359685Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:01.603{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1770079D56DF5390CBA7CA0769E65AA,SHA256=B063456881BF3700FFC7869834E4631A3C49892E3A0B003A5B89FF86074A49BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359684Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:01.591{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359683Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:01.591{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359682Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:01.591{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359681Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:01.591{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x8000000000000000860649Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:56.462{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55012-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860648Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:01.043{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE2F6439A24B52AB9E3261C45C0EAE36,SHA256=34080F7D25F878ADD229B1A031CD86FDB2D0967899FE8D66B51CCC9C089EBC17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860647Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:01.043{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4979EC3F2674A3B3B7785FB1ABEF8F62,SHA256=A57EB9EF0EE1CF060F8D6D6DEA91E803DEF5F73786B06F5E8F1CBBDA9538067B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860651Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:02.777{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E7A6E18B8A0BE5A835E76E4024F10E,SHA256=B70594BCDC350F2AC5FABD5BFB817ED9C2A2B1F26B573CEB6847BCA3E0B72643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359690Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:02.617{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21CB8C5565EA290D73EAB86BBF89DFF,SHA256=0029CEFEFDE43D8E997C56A35B56862C77E31464C5AF88DE443C4003EFD7A108,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359689Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:02.591{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359688Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:02.591{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359687Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:02.591{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359686Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:02.591{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860652Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:03.793{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8988076F2733646A1B823D5A451FFBF,SHA256=47353D437D5880C364D02B9304A4E2699D2F7B6B9491B610E233E5A2A875662E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359695Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:03.631{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89796E3FCF8CB8FE6979BAED914705BC,SHA256=95A8B7119C6C28E4F9C9BCD239355FFB34AA8AFCF010BAC9BE1063B2E5ECB969,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359694Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:03.592{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359693Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:03.592{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359692Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:03.592{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359691Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:03.592{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860653Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:04.808{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B087E451E9A9BE4B6EEE878A7B6E7C,SHA256=B010DEFA7033519ECC29C5CE7E02ECC4C83FC47F37EBF3990C9A1389B44ADA0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359700Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:04.644{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760E390382172B1F67752F39DF4D012A,SHA256=8B2B78663FBD1332AB8A2E0813866EAAACFA64EF50F98873D53CD3395034469E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359699Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:04.593{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359698Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:04.593{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359697Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:04.593{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359696Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:04.593{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860654Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:05.824{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90645CFE22417CB0D9898469697E4F77,SHA256=A44F818F8BB5DA78781F8AF4B97CC2490E970FEA56C93F67A363B531DB23F9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359708Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:05.651{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C712FC2383283EA9144AA8C00AA2CA,SHA256=49B1408189B4893C1E4A09AB5C6714F8EE7A3EFA394A247BE6D4F5C865898B55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359707Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:05.593{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359706Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:05.593{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359705Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:05.593{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359704Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:05.593{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006359703Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:02.666{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1095-false10.0.1.12-8000- 23542300x80000000000000006359702Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:05.112{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA0951FF96845558950819E4D39A7F2C,SHA256=849A1B831ECB3318BFA402066791164CB05AE3F8422A0252091A085EE2E30867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359701Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:05.111{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD2E241BA2869EC3C5F5B4425BF4E8B1,SHA256=4F4EE5BE1FAE29465D16159D6B18E65F16DB7ACDE9489E3FF4614DEDEEF03110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860658Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:06.840{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EAD5B9AF18B193E6D7C2922F9276980,SHA256=6F8116D68A1E769D938990FCE215DC0963DFACF724F7687C1A804616FCFB7F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359713Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:06.667{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C392FCC151AAF5F8BC6E92415253467F,SHA256=AAA28B4E800F9781BF588317DDF74EC98930F5622D5EA0284D1F384772EADE1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860657Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:01.477{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55013-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860656Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:06.058{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3B1FB14BDC0E403BB28C5A5B43174BE,SHA256=A47275925DE34448EEC4F028D72D73689D1B662FC5D978FAC630A8A9B9B4FFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860655Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:06.058{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE2F6439A24B52AB9E3261C45C0EAE36,SHA256=34080F7D25F878ADD229B1A031CD86FDB2D0967899FE8D66B51CCC9C089EBC17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359712Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:06.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359711Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:06.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359710Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:06.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359709Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:06.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860659Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:07.871{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB3C3BF9D41A54C0DD26820E1FB1290,SHA256=31E42E9AD5F8E4D5843D585F501D600EB193586FA1AAA4C4A2D097F8E6BB5CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359719Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:07.671{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8682B2F996EA591B683C5B80AB260FA,SHA256=B6CA2AF2A85D13F7426BFB4397019CA9E0D178AC433DC29602FE2D9E06A7084B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359718Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:07.647{896A638B-B5CA-6058-1200-00000000AE01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C84980B766398F3B2BC9FEFCC4EFFB14,SHA256=4D2438E4BAE3C728A3E9274B5F815130C6E5DDB8B6ED0165C630E65E8BCB2835,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359717Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:07.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359716Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:07.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359715Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:07.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359714Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:07.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860660Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:08.886{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3E864EF8AAF2A446966D8CBEA18D1E,SHA256=3BB58D4BF2C311083E9A5951A0DCBC7A2B5BDC1405511274E101E53FE6B5C453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359726Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:08.674{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14727E1B5772248330B9DD5457B0D21C,SHA256=3F202BFD418B77A2D631939D0FF243F46EF6E58F4A0E3311CFF66CE5D17A65B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359725Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:08.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359724Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:08.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359723Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:08.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359722Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:08.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006359721Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:05.592{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-792.attackrange.local64562-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 23542300x80000000000000006359720Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:08.035{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA0951FF96845558950819E4D39A7F2C,SHA256=849A1B831ECB3318BFA402066791164CB05AE3F8422A0252091A085EE2E30867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860661Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:09.887{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB7B13FC9CC2A35694D7477FB13E0D94,SHA256=6674E7710FA6B473E993C7B12337BAD012F0A65DD27E15A90B66AE9852F75121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359731Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:09.689{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB66D614597FFD3154434BFAD466C37,SHA256=5428B5078BE4C862A874500F2EECE4FB045B00FA45564F8B21654A0F478C95E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359730Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:09.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359729Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:09.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359728Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:09.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359727Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:09.594{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860662Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:10.918{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7F7753DE5917060155E8A48A62DD8F,SHA256=58ACAAA683F5DF5F9694355FB2FD26FB1C634844051013ACDF89EFA2909BF974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359737Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:10.695{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B38C4EEFC7CB3FE5378901DE2D5FE9C,SHA256=1FA0996259E4F4B7353C3E0EB04044FEAF824174BFE20081D60EEB38918A52E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359736Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:10.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359735Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:10.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359734Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:10.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359733Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:10.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359732Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:10.233{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A19876F2B25B57BA0560ED1B62F71FE,SHA256=5496461C09E48254C2B6D2A90C9DA3FDDB95E9C078C91F72C2366F0A7A9396A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860666Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:11.949{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D8CE734B591A53254706E8214B64E2,SHA256=D8DCDBBB3E920B326F3779F01F81261A019F262F798898A41D8ABC59C9DA05C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359743Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:11.699{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A9E7FF2A1941C77BD74A2956E5339F,SHA256=153099B0C91236BAE4D9DFA3E15C991682256389097FA6740BBA53F6A808F9BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860665Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:06.508{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55014-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860664Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:11.136{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C45704F63719BB253F677044601BF970,SHA256=ACF43881F1CAAD1510C2D03DABE03658B31EFFA52FD19F26F0842AE1CAE2DFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860663Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:11.136{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3B1FB14BDC0E403BB28C5A5B43174BE,SHA256=A47275925DE34448EEC4F028D72D73689D1B662FC5D978FAC630A8A9B9B4FFD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359742Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:11.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359741Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:11.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359740Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:11.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359739Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:11.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006359738Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:07.790{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1096-false10.0.1.12-8000- 23542300x8000000000000000860667Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:12.965{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C24885228E7DB7181DC244A9EEE5C4,SHA256=4116F007B0346E5C69C21CF4201B87783D7AB1109D175D8AB11CE07383DF535C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359748Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:12.702{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABA933622DF5B5A75C922997E3E4FA6,SHA256=B2EE617CC191FF4C6CEE1B27A2C7C04EE1744941460FCE112C746EA2BA5C5708,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359747Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:12.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359746Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:12.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359745Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:12.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359744Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:12.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860668Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:13.996{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62EFDA1AFEC51F8F574B0A2BAAB97C44,SHA256=1EF13734EDB83E927CE242867B06FB9D62C8A6EC94481CDB12986504350CBBD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359753Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:13.720{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A1F4BD2EF5D86C30E865CFC56EF0C5,SHA256=6C4EFF87171E9D5CBE93B1F31A3630825A408FBD4FB5C55D8B5241833B863B80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359752Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:13.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359751Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:13.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359750Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:13.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359749Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:13.595{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359758Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:14.733{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432582BF82751F824F7DA20A9C9A7224,SHA256=48FB71ABB9421C2EFF97D5E7B983E71198E80E390AB3AA9F62DC1E2A0FE2C84E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359757Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:14.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359756Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:14.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359755Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:14.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359754Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:14.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359763Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:15.747{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D978CB4E6A72A597E7DF3869902CD9B6,SHA256=F97457F347AD286808D7991760E4F53D09A5A36BF22E41D1E0F60848A3EC3371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860669Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:15.011{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9652087C05B07812C8942883DD3CA57B,SHA256=2ACC62AFB1CEC60C5D58029105DCFEEF1E53D35C7C986E906542F197339756A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359762Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:15.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359761Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:15.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359760Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:15.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359759Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:15.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006359771Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:13.667{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1097-false10.0.1.12-8000- 23542300x80000000000000006359770Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:16.762{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1AABF2B93F04DCED95627D426CCBFE8,SHA256=1D3862670104F4E69654A0EFD2376577A6431A11E89507CF15D35C8B99F3A089,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359769Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:16.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359768Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:16.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359767Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:16.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359766Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:16.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359765Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:16.112{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=445B91629491117E1817E5A6E681BE4B,SHA256=569904CC32D147E72E6FBD0D3320BB2D82D22AECD0E778745BA18179DC052788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359764Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:16.111{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8BF6B8DEE027CBF2389891CB9B2274B,SHA256=BB5222BB592B1865439987442D8F4E8EBB766F64CB9AC8061C8FBC5B76C001EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860673Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:11.524{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55015-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860672Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:16.246{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=779287FAB0AEDD4E02DEF038B3CEDF47,SHA256=8B42C2E906CAA1856DB3CC680AE26678169889E5BDD02B1D32D8401A9B3366D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860671Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:16.246{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C45704F63719BB253F677044601BF970,SHA256=ACF43881F1CAAD1510C2D03DABE03658B31EFFA52FD19F26F0842AE1CAE2DFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860670Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:16.027{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475D08DB372010A63A89611F3B805ED7,SHA256=8D976BE9EFB739B2AD7528021B0542ED9BEA1D1D372C9B686BE63A1796D5486A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359776Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:17.769{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C74735B10B2C085D562175A6AA7A7D,SHA256=E8477B46E14F6D501875D61FBFF88704E15B63B404B1F5B005CAA4314C7BC27A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860674Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:17.058{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219A92C0201B529A63BAF17289371B58,SHA256=46D117985DF6BB689C221FB34FE3C89436DEA4057565059F62ADC1C0903ABBF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359775Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:17.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359774Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:17.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359773Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:17.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359772Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:17.596{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359781Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:18.788{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70022A7A28C9B554B1153E8A2233CEA3,SHA256=AAD503F1C5C083F464962CF533BDD97BACD1EFE0B49C25F41A7762E10B0B2C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860675Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:18.058{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EB6F7927EDCBE2D97A2F0A7A011D2B,SHA256=E48B7A926080995626C41F6CBBB62B480202BE1FA9002BB0AD60C97669BEE7B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359780Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:18.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359779Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:18.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359778Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:18.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359777Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:18.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359786Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:19.793{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7830CC1FF8FB396ED45636C91A71C010,SHA256=5D9D6B8B40538116B29BBA67C790CB98D673E8ADE5266836597BAE64DE1CA825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860676Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:19.074{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03273ECC0745A9F8267EE01FB297722,SHA256=46B069427CC1F1B6F97FF75AAF1EA7E022FD56134B1E5C45DFCBB000CCE29495,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359785Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:19.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359784Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:19.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359783Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:19.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359782Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:19.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359791Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:20.799{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A21DF970963DD7307D0804EC34E0AF,SHA256=A66EBB9D468473B9E9FFD4841DB0693FC5141280B9EA6354D84CD3B5A34220F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860677Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:20.074{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887EB76632BA3B20C0AF25D8E7998724,SHA256=6B660A788C1BA48818B9D8B06EDFD59BDA9A30D83BBAE28D65AEE4B10B00D4AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359790Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:20.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359789Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:20.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359788Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:20.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359787Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:20.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359799Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:21.802{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE5F0FDC5C633233CECE49884CC4E02,SHA256=562F8394FDAB0940569727D2F66BBF09C355886D6665A77610480D1677B98BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860678Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:21.121{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1F92999A3DF04B7AE7ADCE25AA5FB2,SHA256=E783D11BD307ED5F73FEAE7DC092C5433F0CEA74B792101262BB012BC5E8DDF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006359798Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:18.799{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1098-false10.0.1.12-8000- 10341000x80000000000000006359797Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:21.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359796Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:21.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359795Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:21.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359794Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:21.597{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359793Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:21.246{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F034613D9D37F5361307B4820FD8BD51,SHA256=8EDA8C6BED3F57DD2739B11241B6FF1C5339152C8024CBA09C2C5E858D54F495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359792Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:21.245{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=445B91629491117E1817E5A6E681BE4B,SHA256=569904CC32D147E72E6FBD0D3320BB2D82D22AECD0E778745BA18179DC052788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359804Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:22.812{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E35FF0DB405B6ABCD90B91A43693FF5,SHA256=B53A9E9014A1C0225145571792027FA3E42C2814C6E224F5B28C88836E7115FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860682Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:17.555{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55016-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860681Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:22.183{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99CCB974782EB844E0ACE42F033B9337,SHA256=7D0A7EF1FC58FFBA94FC218C0304A7C99CB44784EAB12D52DA87A1055C46DEB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860680Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:22.183{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=779287FAB0AEDD4E02DEF038B3CEDF47,SHA256=8B42C2E906CAA1856DB3CC680AE26678169889E5BDD02B1D32D8401A9B3366D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860679Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:22.168{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3113109BC0CE2C9725A5FDE2065CE6,SHA256=86BDAB2446682EB823EF77F7C4367CABD4B027D5D1023195A6C241516C172D94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359803Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:22.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359802Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:22.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359801Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:22.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359800Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:22.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359809Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:23.822{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B2F032FF0FB94EB72494CC18E29D7F,SHA256=7D745DDF771752A817B833F735313682BE3E0435AD787AD9395F6A50339394B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860683Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:23.199{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35788A0DE9DDF74F435A8CB0419EBBF,SHA256=8889D1126C8AA3E540986CF20E33DDE904FAD3A8572E9989B5B60B585F17834E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359808Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:23.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359807Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:23.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359806Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:23.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359805Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:23.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359814Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:24.825{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133FAD8B882A069DDEDBB7A49F3FF28C,SHA256=9E7B157071CE4C90E5F3A820DFF73A7263252AFAA78F8786AA54E557FC24B5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860684Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:24.214{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB09E4D6DFD10708463FAE1E6165763,SHA256=1C178732DF0AB275421998A3A3AA95D8800950C9A82CBBA9F9913756C5F1E915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359813Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:24.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359812Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:24.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359811Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:24.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359810Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:24.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359819Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:25.835{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9B4142E6D2C56F4DA669DFB155DECA,SHA256=FB5898BF77B774E5CCB3D64509F094DFE07193190BC91525A00E7026A912D63F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359818Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:25.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359817Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:25.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359816Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:25.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359815Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:25.598{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860685Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:25.261{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C83DA11196378FA9A200960F3B72397,SHA256=93AD760F0B91ACFB484D8EB4FAE74B1705B2A0FF789BAF35BCC01E6071CDDB3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359824Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:26.849{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A45D1D0BFCF924D165BF3ACD4583D6A,SHA256=C5BC31AEBA18D5BDC55A5FF7080D5C1D5C76CD0D075C689BC51C74DEEB45F8A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860686Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:26.277{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438DDCA73E80A005DBA584AFDD5F9D27,SHA256=3800C99C541DBFEE91232EDF5B4E1CA909BA45B7E5299C5277CC52EDF6C42ECE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359823Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:26.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359822Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:26.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359821Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:26.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359820Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:26.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359832Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:27.863{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE185E7613783FEB8C4E7D25E5B48A29,SHA256=A1E84E39576B871AB043D5F496D0C7635543ED2580296DEE08E9A426836774DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860687Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:27.293{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77AB921ED41FAB9B9C6811F6A917D09,SHA256=87776EC39ECC1B008F52C8B6F7892DA9173A156834E3DD975166B793ED3A53CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006359831Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:24.680{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1099-false10.0.1.12-8000- 10341000x80000000000000006359830Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:27.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359829Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:27.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359828Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:27.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359827Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:27.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359826Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:27.138{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73CCF29576B754CE8F5D3AB137099297,SHA256=E0D157BE42FE5F633DD45C9421639DB84FF25D6C98812121EB2065B5E6E50D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359825Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:27.137{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F034613D9D37F5361307B4820FD8BD51,SHA256=8EDA8C6BED3F57DD2739B11241B6FF1C5339152C8024CBA09C2C5E858D54F495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359837Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:28.876{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA01307F0209385019B1281666FAE921,SHA256=27F65C0FD1217140C5A0569591040701720D6C079B46F618AEBDFE116EF33580,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860691Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:23.524{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55017-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860690Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:28.308{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4CD7EA0F79DED8AFA3B63A891045EB,SHA256=AE2D9C2E4618518476728A60B16ADF08DC0A991170C70D1C59F912800D9ED5A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359836Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:28.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359835Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:28.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359834Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:28.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359833Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:28.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860689Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:28.121{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F68F368ADDF3F4BF0B2EA050F50B3B5,SHA256=41DF7FA245216F175795796084617FB4DC34A668A4650D19CB17C0C3E5BDE0BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860688Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:28.121{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99CCB974782EB844E0ACE42F033B9337,SHA256=7D0A7EF1FC58FFBA94FC218C0304A7C99CB44784EAB12D52DA87A1055C46DEB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359842Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:29.891{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656715071B1EC5ABF16C346601FFD431,SHA256=342C12022C489F615AC68A522C24041E434E7A55AEB8C533D991F109D092129D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860692Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:29.324{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952F51594F1F33BC9D0AF1295B914DCC,SHA256=A9A3E272F0E604CD27258B057ECA721D97FAAB8D34C11B548C374C5754B9DAFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359841Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:29.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359840Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:29.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359839Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:29.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359838Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:29.599{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359847Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:30.903{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53CF285F9DE823FB34F2B4F27C1EE592,SHA256=305881DC0914F864AD58FF8C85E68BD41316CF9A9DA0BC384B7D40B505BE8C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860693Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:30.339{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9DC18D618003699B44E57B30F3BE498,SHA256=C7026C931FD6F2455BA9B0974477212D0DB3746F97F6764D77F37C5B03E08AA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359846Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:30.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359845Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:30.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359844Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:30.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359843Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:30.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359852Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:31.919{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2F799B703371D0748224CD262123D0,SHA256=3F168F37B2892EB576AA92B5F57D769B3054230A406B17025CFD7543D17957F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860694Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:31.355{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B641FEEA6B5184AB75F71DAC8E15C5,SHA256=1D0233EDBB9CD81BE8C2AA442EE6C9E916877A06070C393331922F9B4914752F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359851Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:31.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359850Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:31.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359849Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:31.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359848Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:31.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359859Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:32.923{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919D30319C6350121A72FF61200579B8,SHA256=FB7CD8345A6882EAEFEF15DA87DA9F33D32BD38F186F86EE17094B993A4AC72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860695Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:32.371{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A694AF8D4193CA10B25156DACD61358A,SHA256=D1A74C531E4A5A8CCF6A22D66E904A1C3BB26D042C9E3F6ABB04A6EF7A5F3363,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359858Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:32.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359857Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:32.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359856Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:32.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359855Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:32.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359854Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:32.258{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82C644EF8FDEA7793181BBCD33C4F3F1,SHA256=741BB5DFC2356DB89FA4DC97A978406FE1B9A4C33C20C1E08EF945E76E9A7F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359853Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:32.257{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73CCF29576B754CE8F5D3AB137099297,SHA256=E0D157BE42FE5F633DD45C9421639DB84FF25D6C98812121EB2065B5E6E50D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359874Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:33.929{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC21DD317957A712199B475EC9610A6,SHA256=3D8555141C7DEEBA854197755A12FFF5EAA5B1FCF1E3CF330FDB66A9F5352EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860696Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:33.386{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B09518A5325C2B303D719EDFCB177F5,SHA256=D0A1CC011C72CD559FEEDA46A919BA3FE2882BBDCD44F2E1ABE1E92A28846C86,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006359873Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:29.805{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1100-false10.0.1.12-8000- 10341000x80000000000000006359872Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:33.648{896A638B-C085-605C-A489-00000000AE01}8020936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359871Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:33.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359870Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:33.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359869Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:33.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359868Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:33.600{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359867Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:33.505{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C085-605C-A489-00000000AE01}8020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359866Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:33.504{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359865Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:33.504{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359864Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:33.503{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359863Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:33.503{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359862Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:33.503{896A638B-B5C8-6058-0500-00000000AE01}396464C:\Windows\system32\csrss.exe{896A638B-C085-605C-A489-00000000AE01}8020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359861Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:33.503{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C085-605C-A489-00000000AE01}8020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359860Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:33.493{896A638B-C085-605C-A489-00000000AE01}8020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000006359896Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.937{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5383D892392D54E5818403AB4116702,SHA256=0A16022F5504A67AC6BDE4DCC9D7AB83E1733FB140EB5AE634204167FBD2EF98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860700Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:29.555{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55018-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860699Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:34.417{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB01A201C67B605E0F41804BD079B2C,SHA256=FFDAA861D4B372F94A345071C7849C3CF024C37BF5810B842C50D905C58A19C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359895Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.864{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C086-605C-A689-00000000AE01}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359894Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.862{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359893Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.862{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359892Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.862{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359891Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.862{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359890Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.861{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-C086-605C-A689-00000000AE01}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359889Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.861{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C086-605C-A689-00000000AE01}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359888Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.852{896A638B-C086-605C-A689-00000000AE01}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006359887Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359886Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359885Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359884Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359883Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.496{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82C644EF8FDEA7793181BBCD33C4F3F1,SHA256=741BB5DFC2356DB89FA4DC97A978406FE1B9A4C33C20C1E08EF945E76E9A7F57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359882Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.185{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C086-605C-A589-00000000AE01}7484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359881Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.183{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359880Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.183{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359879Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.183{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359878Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.183{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359877Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.183{896A638B-B5C8-6058-0500-00000000AE01}396464C:\Windows\system32\csrss.exe{896A638B-C086-605C-A589-00000000AE01}7484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359876Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.183{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C086-605C-A589-00000000AE01}7484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359875Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:34.174{896A638B-C086-605C-A589-00000000AE01}7484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000860698Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:34.167{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6411D86D4AA17FA77B338E66C9919301,SHA256=B798E32B26C3E9F6570CE70E54FABE05077525D8CC491CDB5225994F64549E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860697Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:34.167{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F68F368ADDF3F4BF0B2EA050F50B3B5,SHA256=41DF7FA245216F175795796084617FB4DC34A668A4650D19CB17C0C3E5BDE0BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359902Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:35.952{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEF58E165BB485C10E9BDE9A323AFF2,SHA256=5AA7F62FB4E4697EDE0B021A820A1D9882070F5768505385520759B481B52F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860701Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:35.433{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFF453EB8BF5E828BE83319E37AFB1C,SHA256=1B2D1B0AD275D45FAB62023A3ACA21238A4E74936E5EEF6275CB2FA5062299DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359901Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:35.856{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=547059392B631B1DC453C00796FF97F6,SHA256=DB3B56B7BC39FCC7C62B4B0CA5082E8302CE33D4FD900CBFA241CCA721F70C31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359900Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:35.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359899Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:35.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359898Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:35.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359897Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:35.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359907Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:36.957{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD3FCD78A81A246FAE97BD600C8C7112,SHA256=1D9DDE1C0B79B5613897B7998A38857943F0C89EF23DDF0E30854CBF84896075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860702Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:36.464{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1326A93EF9C9B8BB578C44EDA310FC,SHA256=A018784327AF2844ACA56D979CE676B618F8005E4F4F7670D26F2E801BD2B544,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359906Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:36.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359905Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:36.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359904Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:36.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359903Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:36.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359912Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.963{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72031110174F80AE378545B90CADA716,SHA256=95D5FD7B69A760FF37A603FC5E056FFE267EC469D1A12239B03502DC356BFA40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860703Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:37.480{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850A2A67875347FAE52DF966C8995A22,SHA256=3702B01CF2CE6249B41B59E3E9D90C5F2E25A20235DAD7FC6AC0984799404B70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359911Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359910Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359909Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359908Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.601{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359921Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:38.982{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C93C9539D7702934DE037F73EE598BE,SHA256=31D79F1E25CC3A4648C86618C6C9C7EAF7713374EDD3CABAE7784DD1E72A4745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860704Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:38.496{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5343D88547E2DE8E30AF630164B6C11C,SHA256=BF138A1B2067EF5C878CAA5718B04B7D990F8DD80F5B5119CE3DD657B6578F83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006359920Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:35.688{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1101-false10.0.1.12-8000- 354300x80000000000000006359919Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:35.595{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local63435- 10341000x80000000000000006359918Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:38.719{896A638B-B5C8-6058-0B00-00000000AE01}6126888C:\Windows\system32\lsass.exe{896A638B-B5C0-6058-0100-00000000AE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000006359917Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:38.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359916Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:38.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359915Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:38.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359914Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:38.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359913Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:38.038{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D559E2C78D8EA17692EBCF7404A16271,SHA256=84015C6CBE699221AB6D0F513574F8521E0DA7937619AE5E2E6F882241047546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860707Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:39.511{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E08D5869B6478426F8AC8C4137FC62,SHA256=AA5E7B28B1BF31150B3B92BE109E1C40E151EA4F565A8D0EB1A903F0DBCB6B9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006359932Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.164{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1105-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local389ldap 354300x80000000000000006359931Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.164{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1105-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local389ldap 354300x80000000000000006359930Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.164{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1103-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local49666- 354300x80000000000000006359929Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.164{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1103-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local49666- 354300x80000000000000006359928Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.163{896A638B-B5CA-6058-0D00-00000000AE01}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1102-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local135epmap 354300x80000000000000006359927Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.163{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1102-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local135epmap 23542300x80000000000000006359926Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:39.629{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=090BE839C9FF3D5606B47F7E52047DEA,SHA256=4852CB3AFEE8EB9EF71FB9896F0742B2BCD7BA70AEB84C2791711497739A50E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359925Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:39.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359924Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:39.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359923Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:39.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359922Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:39.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860706Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:39.292{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9D45EE9E2848393E8444F7270159312,SHA256=E37CE806A183993FD5B1073BA08D76A3E064CB1B6921BAEA865C610029781DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860705Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:39.292{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6411D86D4AA17FA77B338E66C9919301,SHA256=B798E32B26C3E9F6570CE70E54FABE05077525D8CC491CDB5225994F64549E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860709Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:40.542{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A80B5D2E1B4A52D1F1B22E1EE56FBEC,SHA256=330BDA5A1A6A87B29EB49AAC96391E49EC8403A73A8668361A86EF22C11CFE87,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006359945Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.278{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1109kpoptruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local445microsoft-ds 354300x80000000000000006359944Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.278{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1109kpoptruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local445microsoft-ds 354300x80000000000000006359943Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.276{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1108-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local49666- 354300x80000000000000006359942Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.276{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1108-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local49666- 354300x80000000000000006359941Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.275{896A638B-B5CA-6058-0D00-00000000AE01}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1107-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local135epmap 354300x80000000000000006359940Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.275{896A638B-B5CA-6058-1400-00000000AE01}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local1107-truefe80:0:0:0:d5e5:e17e:c4fa:f709win-dc-792.attackrange.local135epmap 354300x80000000000000006359939Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.170{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-792.attackrange.local1106-false10.0.1.14win-dc-792.attackrange.local389ldap 354300x80000000000000006359938Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:37.170{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1106-false10.0.1.14win-dc-792.attackrange.local389ldap 10341000x80000000000000006359937Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:40.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359936Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:40.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359935Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:40.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359934Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:40.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359933Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:40.075{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A85E7C9BC6462E6D4195B9194340DB,SHA256=97F947636791316042FFCC2E8F6B79984C3F713D6FC1E48EADA6863D96C79FEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860708Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:34.586{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55019-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860710Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:41.574{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13620BCEA8F06E57FC542501E640EF6,SHA256=3473311ED5890B9EFBEB8159185A94FCC29A69E69814861AB2A2BBBA8BAAFFFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359950Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:41.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359949Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:41.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359948Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:41.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359947Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:41.602{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359946Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:41.082{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F958AB7EADFFF04C75FB289ACE210C9D,SHA256=A40A450A55A926AE93636274943908087511ABC7E85807923F8A9BEFAE5263F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860712Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:42.605{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAC2E4197C19BA36FBE9A9D13265125,SHA256=CDC6B91422C4B95EA1809FC85760D29E85A954C15DD4A0EA100F16C3350554A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359955Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:42.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359954Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:42.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359953Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:42.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359952Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:42.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359951Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:42.110{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16405E1C27B3351B8EED460A31E4FEE6,SHA256=D4DD92F11AC8B5A196122659361C5816DCBC1A97CD9A8E5ADCBED74EC554575B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860711Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:42.199{BFB545BB-B8FB-6058-A200-00000000AF01}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=110595CEF9B4CBA210BA20B2379C084A,SHA256=7D73824D889500B0F5D9723AA57E5770140E65EEF42DCF932AD014F8B83C23F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000860742Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.980{BFB545BB-C08F-605C-9779-00000000AF01}35162964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860741Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.855{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-C08F-605C-9779-00000000AF01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860740Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.855{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860739Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.855{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860738Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.855{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860737Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.855{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860736Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.855{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860735Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.855{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860734Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.839{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860733Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.839{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860732Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.839{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860731Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.839{BFB545BB-B864-6058-0500-00000000AF01}628644C:\Windows\system32\csrss.exe{BFB545BB-C08F-605C-9779-00000000AF01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000860730Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.839{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-C08F-605C-9779-00000000AF01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000860729Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.841{BFB545BB-C08F-605C-9779-00000000AF01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000860728Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.636{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8B2190D1EBF19FEBB5987E4825787F,SHA256=98BEE10F112B6679C75515328DCF00A34C24DA65D5DA911C58AB27026D639417,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359962Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:43.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359961Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:43.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359960Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:43.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359959Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:43.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000006359958Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:43.561{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\SiteSecurityServiceState.txt2021-03-22 16:50:37.956 23542300x80000000000000006359957Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:43.561{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\SiteSecurityServiceState.txtMD5=A3BD2E50CC328BE64753A56184854BBE,SHA256=9F75E5A06010839AC8ED9617D09DA90628ACC3CDCC0761E80D5AAD5A7B3D28E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359956Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:43.123{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F038D5234029184E36C23B8F78FD2025,SHA256=9B3370F74F8903277F2D955409096D732754BB1777294F67E52CF21AD3D68933,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860727Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:38.601{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55020-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x8000000000000000860726Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.230{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-C08F-605C-9679-00000000AF01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860725Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.230{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860724Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.230{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860723Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.230{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860722Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.230{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860721Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.230{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860720Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.214{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860719Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.214{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860718Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.214{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860717Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.214{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860716Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.214{BFB545BB-B864-6058-0500-00000000AF01}628644C:\Windows\system32\csrss.exe{BFB545BB-C08F-605C-9679-00000000AF01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000860715Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.214{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-C08F-605C-9679-00000000AF01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000860714Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.215{BFB545BB-C08F-605C-9679-00000000AF01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000860713Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:43.199{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9D45EE9E2848393E8444F7270159312,SHA256=E37CE806A183993FD5B1073BA08D76A3E064CB1B6921BAEA865C610029781DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860758Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.761{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1BC342C53DAA82C7444153AA5F799E,SHA256=702D6C82D4DEB875EB9A7570D71F2C5CA3499DFB0D91218006BD5E892613E3DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006359969Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:41.568{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1110nfsd-statusfalse10.0.1.12-8000- 10341000x80000000000000006359968Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:44.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359967Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:44.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359966Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:44.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359965Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:44.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359964Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:44.127{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5302D649FB81629EDF6E5D9E46AA0486,SHA256=3E4E35FAE655CAB7E99062E9CEB10CE935C50E09C3B83908D482A43EC960A58E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000860757Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.480{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-C090-605C-9879-00000000AF01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860756Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.480{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860755Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.480{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860754Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.480{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860753Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.480{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860752Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.464{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860751Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.464{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860750Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.464{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860749Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.464{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860748Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.464{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860747Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.464{BFB545BB-B864-6058-0500-00000000AF01}6281076C:\Windows\system32\csrss.exe{BFB545BB-C090-605C-9879-00000000AF01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000860746Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.464{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-C090-605C-9879-00000000AF01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000860745Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.465{BFB545BB-C090-605C-9879-00000000AF01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000860744Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:39.601{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55021-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860743Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.308{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=280C45F3C269BAEFFD7FA0D4432233C0,SHA256=16F53F6901497A36CCA91F645C6E391249A0F4701F829351646BD3D29D753FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359963Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:44.028{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE244553A83504BC4E66999711E102A6,SHA256=D14EA8FDD2465A41866BC0FE7ABCB25031F68811240D2C350F6547CB2E2679FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860760Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:45.777{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF28A16E21F53444DB1FC51E167EE7E,SHA256=463968BE7ECA30D8EF351D26953D57150BE2541CCEAF10324DE34F376DB25211,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006359975Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:45.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359974Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:45.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359973Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:45.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359972Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:45.603{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359971Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:45.521{896A638B-FDE4-6058-4A12-00000000AE01}6364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=110595CEF9B4CBA210BA20B2379C084A,SHA256=7D73824D889500B0F5D9723AA57E5770140E65EEF42DCF932AD014F8B83C23F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359970Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:45.143{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713984C90A2D7EA4DFD3613E176C3883,SHA256=029C6C4C02CF0A56B4A1DA9329E1110EF04E5BDBC18EFB67E9335A74D1FF11CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860759Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:45.558{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=857A06312811BA0B2482F9160FF09E2A,SHA256=F67689EBE1965BED387E66FDCB2578FB6C86314173250FD6FECAC3BA5917A069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860761Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:46.902{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09329CD4E361F6C7CB81E32D46F2D22A,SHA256=530EE19AB7156B0454F17E3C41B47B0815D0D89DB5F2DECFFDB1C9F100E107F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006359982Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:44.067{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1112-false10.0.1.12-8089- 10341000x80000000000000006359981Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:46.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359980Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:46.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359979Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:46.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359978Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:46.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006359977Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:46.539{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25C9A69918301780928127ABEF11F577,SHA256=CF11D717C5FE48FD8617EA03326B039BBF3DD441464AF202DAA27BDF376E128C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006359976Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:46.153{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E9B1E8DEAB6BBF998AD260AC5DEA4A,SHA256=B8FCD189A19DD091E44D4A255AF1B6F69BF7B72973D22589CEF145CA5424AE05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860762Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:47.980{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7119C2185AC6B1729808A4A4162C90DF,SHA256=3C9E316B4AD84889535B1E8B585AFCD83848E740F6A48432380B904838CA4B24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360004Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.895{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C093-605C-A889-00000000AE01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360003Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.893{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360002Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.893{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360001Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.893{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360000Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.893{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359999Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.893{896A638B-B5C8-6058-0500-00000000AE01}396464C:\Windows\system32\csrss.exe{896A638B-C093-605C-A889-00000000AE01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359998Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.892{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C093-605C-A889-00000000AE01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359997Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.884{896A638B-C093-605C-A889-00000000AE01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006359996Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359995Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359994Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359993Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359992Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.371{896A638B-C093-605C-A789-00000000AE01}73166852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359991Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.217{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C093-605C-A789-00000000AE01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359990Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.215{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359989Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.215{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359988Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.215{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359987Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.215{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006359986Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.215{896A638B-B5C8-6058-0500-00000000AE01}396512C:\Windows\system32\csrss.exe{896A638B-C093-605C-A789-00000000AE01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006359985Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.215{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C093-605C-A789-00000000AE01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006359984Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.204{896A638B-C093-605C-A789-00000000AE01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000006359983Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:47.157{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C1361728A7AF047EB2AAC6D3EB900E,SHA256=D26DF9DE0DACF7B48277348682251E369F392FF65D45C345B89EDF5F10A0F7C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860763Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:48.995{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F87B205D19C23A1A09C5D1E14DE51AD,SHA256=84A76D612306962F491EF48F3A5B27FA3FE79236F8EA180C60E96E959F86F67D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360020Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.666{896A638B-C094-605C-A989-00000000AE01}57086268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360019Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360018Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360017Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360016Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360015Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.517{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C094-605C-A989-00000000AE01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360014Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.515{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360013Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.515{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360012Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.515{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360011Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.515{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360010Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.515{896A638B-B5C8-6058-0500-00000000AE01}396512C:\Windows\system32\csrss.exe{896A638B-C094-605C-A989-00000000AE01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006360009Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.515{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C094-605C-A989-00000000AE01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006360008Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.506{896A638B-C094-605C-A989-00000000AE01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000006360007Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.220{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6EB944C9E0815A740881D95FE6F1040,SHA256=31FF5137D3BC14D30CA5A3698AAD69D9C91E2BA500431EEE5B0B77CD52B62C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006360006Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.173{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B075A4DE4809C20DB72D1E5065462736,SHA256=D8B4D51C9512401EF2923E69708E7EDD76315B54B3C063277EA334D7A9027373,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360005Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.042{896A638B-C093-605C-A889-00000000AE01}41123408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006360035Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:46.695{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1113-false10.0.1.12-8000- 10341000x80000000000000006360034Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:49.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360033Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:49.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360032Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:49.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360031Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:49.604{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360030Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:49.512{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=063507EB6563F854ED8054B4E68330E2,SHA256=38CC8F694B42382106C889D1C972463DAE164CE6A792A81107BCE06FA6B3796A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360029Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:49.183{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C095-605C-AA89-00000000AE01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360028Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:49.183{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D007BD58506087F4A30A720ECBEFBF1,SHA256=90CE44418AAEA8A9640F72547295876EA7F34A4D119BDB65C8BC1D9033864016,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360027Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:49.181{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360026Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:49.181{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360025Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:49.181{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360024Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:49.181{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360023Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:49.181{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-C095-605C-AA89-00000000AE01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000006360022Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:49.180{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C095-605C-AA89-00000000AE01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000006360021Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:49.171{896A638B-C095-605C-AA89-00000000AE01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000860765Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:44.617{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55022-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860764Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:49.245{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97D71711A552F588723DB96C335CE925,SHA256=D13C036B2B598C58929BE4D7F403496F90B5B09D7C36DEC85A81405D5574D8AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006360043Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.157{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1114-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local389ldap 354300x80000000000000006360042Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:48.157{896A638B-B5DB-6058-2A00-00000000AE01}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1114-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local389ldap 23542300x80000000000000006360041Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:50.615{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6288D5D8044B16CB2B5F62110C8B5174,SHA256=77D7324BA15CA72CFC5864AE2849A01720DEF0444571BAC83C0A03C90D0F9C23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360040Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:50.605{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360039Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:50.605{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360038Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:50.605{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360037Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:50.605{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360036Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:50.192{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DAD12722ED421B531C8399A811BCDB2,SHA256=41327C91B7B0440799006B390E451AF15A8360FD31CE79130BD3E5627114A284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860766Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:50.011{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9443F54D7DBEF1577932A3D18B07C5DA,SHA256=CF75FE4E3BF96750382E8A3F80928AA54739E22E3212838DFD24CC707E1C2362,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360048Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:51.605{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360047Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:51.605{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360046Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:51.605{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360045Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:51.605{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360044Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:51.207{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCFD2E6BAAA9ADB17DC6D5D5FE9F2CD,SHA256=83E33CD361B446F658D6C01AE950A5EA3871A286A9CC042BE943B5002149C791,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000860780Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:51.933{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-C097-605C-9979-00000000AF01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860779Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:51.933{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860778Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:51.933{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860777Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:51.917{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860776Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:51.917{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860775Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:51.917{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860774Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:51.917{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860773Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:51.917{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860772Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:51.917{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860771Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:51.917{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860770Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:51.917{BFB545BB-B864-6058-0500-00000000AF01}6281076C:\Windows\system32\csrss.exe{BFB545BB-C097-605C-9979-00000000AF01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000860769Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:51.917{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-C097-605C-9979-00000000AF01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000860768Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:51.918{BFB545BB-C097-605C-9979-00000000AF01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000860767Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:51.027{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB4D258FB5A6B29B56836EBF723B849,SHA256=FD72BE503265E45D5F039B1060E013EC07FD27D5C5831F584833E0B30FA0F3AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360053Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:52.605{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360052Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:52.605{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360051Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:52.605{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360050Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:52.605{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360049Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:52.215{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86A77DF388FE4EF2D70B5C88253BEE0,SHA256=861E25399699F2BA8F70A94564BAB13A54144371E3DB5A0567D9192E541983BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860797Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.933{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B25A33564C285FFDAE827A952F44B8C3,SHA256=C8BDC48E5371A703214EAEFD45F665224454BDCD4F9D49516CABB54382F2BE4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000860796Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.730{BFB545BB-C098-605C-9A79-00000000AF01}1888816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860795Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.605{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-C098-605C-9A79-00000000AF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860794Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.605{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860793Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.589{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860792Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.589{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860791Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.589{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860790Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.589{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860789Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.589{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860788Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.589{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860787Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.589{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860786Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.589{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860785Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.589{BFB545BB-B864-6058-0500-00000000AF01}628744C:\Windows\system32\csrss.exe{BFB545BB-C098-605C-9A79-00000000AF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000860784Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.589{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-C098-605C-9A79-00000000AF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000860783Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.590{BFB545BB-C098-605C-9A79-00000000AF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000860782Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.058{BFB545BB-C097-605C-9979-00000000AF01}39522168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860781Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:52.042{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A131F4A33B4C81FD8C8D5F000C2CB67F,SHA256=84808055D45949A8A3FFCFE262B3FBCF22CE35E95006F1A8FEFE4D2A2864C67B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360058Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:53.606{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360057Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:53.606{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360056Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:53.606{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360055Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:53.606{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360054Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:53.238{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B3838FD6487938E1BF189A02C3150C,SHA256=F8CABDE00539F7E5519F9DE90DF8568C7376F60808CF65DBA975206A1A7F94F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000860825Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.948{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-C099-605C-9C79-00000000AF01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860824Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.933{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860823Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.933{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860822Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.933{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860821Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.933{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860820Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.933{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860819Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.933{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860818Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.933{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860817Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.933{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860816Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.933{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860815Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.933{BFB545BB-B864-6058-0500-00000000AF01}628744C:\Windows\system32\csrss.exe{BFB545BB-C099-605C-9C79-00000000AF01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000860814Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.933{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-C099-605C-9C79-00000000AF01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000860813Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.934{BFB545BB-C099-605C-9C79-00000000AF01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000860812Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.433{BFB545BB-C099-605C-9B79-00000000AF01}17002892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860811Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.277{BFB545BB-B8FB-6058-A600-00000000AF01}8083700C:\Windows\system32\conhost.exe{BFB545BB-C099-605C-9B79-00000000AF01}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860810Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.277{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860809Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.277{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860808Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.261{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860807Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.261{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860806Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.261{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860805Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.261{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860804Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.261{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860803Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.261{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860802Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.261{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1C00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000860801Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.261{BFB545BB-B864-6058-0500-00000000AF01}628744C:\Windows\system32\csrss.exe{BFB545BB-C099-605C-9B79-00000000AF01}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000860800Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.261{BFB545BB-B8FB-6058-A200-00000000AF01}36401220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BFB545BB-C099-605C-9B79-00000000AF01}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000860799Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.262{BFB545BB-C099-605C-9B79-00000000AF01}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BFB545BB-B865-6058-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{BFB545BB-B8FB-6058-A200-00000000AF01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000860798Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:53.042{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3089178C1744B011344A962D7C561016,SHA256=1D0E0791F4B3042A9A81A39A04085285EF336B905247F00A20487E0EA66FADE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860827Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:54.511{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0529B4A27EBC6B843100708445895D,SHA256=955F4C64E1D27FA1EA58E42D977C37A44AD90B12E8568629BC48C5D01C537821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860826Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:54.511{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBFB3419FA174CEB24CAA7C06E452CEB,SHA256=0909B0986869597A842D39C30418710B79CCC22057578E414F09E03819476525,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360063Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:54.606{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360062Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:54.606{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360061Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:54.606{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360060Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:54.606{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360059Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:54.253{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB70CD9895C9CCE2E96D94BB1323D27C,SHA256=915F7CF7E8A89B0A59B39A3227F898E31EEE2DDBA8DCC00E6D123A783A8443F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860828Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:55.527{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F223D6C86DDAC52BCE33A4BF1B5480,SHA256=B6BA3B519D0C93750650829DA21DF4FA5CD144415A16198C9A75E0C5292DF290,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006360070Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:52.568{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1115-false10.0.1.12-8000- 10341000x80000000000000006360069Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:55.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360068Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:55.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360067Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:55.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360066Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:55.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360065Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:55.267{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2B91190610A16172AB504086DE2624,SHA256=E0F938C76C4172A09516587C540E14455165DA6DB1C9A7AAE7A1A90A19608DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006360064Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:55.019{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA12D56D507E595363129917F89DD480,SHA256=52E1DE645CC73D5D347DE92DB7951BD9E22705D0674767562B42195BDA2C99AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860831Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:56.683{BFB545BB-B866-6058-1200-00000000AF01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D92F33A8BB56A704423EA8CE7AABD30A,SHA256=B4759C4E48511E15CC0EDB4562E9A73315D9EDC47ABB37E65B90582820C6C01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860830Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:56.573{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38E05C7DED9945528D0B308E97FD70F,SHA256=75D57E7544C189B927AB0FFD6519249EE13915F071E35D8B64465E5B6FB49747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006360077Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:56.657{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006360076Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:56.656{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=758B6268FCDE3C3F5E8FF12A61D9A435,SHA256=665F579FAAEE59B04AB6A59AB80B0C234D369DDAB780A03B43F1AAC6FE2A25F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360075Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:56.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360074Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:56.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360073Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:56.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360072Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:56.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360071Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:56.283{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802BAFA9E0187A3E3E4CDA6BDFF591EA,SHA256=9C8D73815DE39973DC5472E9233CA61C52E2636454C85D9F39CA610FBD2B4BA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860829Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:50.664{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55023-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860832Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:57.636{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD25A413F45C40865A7C83BF520CBDC,SHA256=DAB11F78E3FFF448EC178F56A890111E82AC27E7D98D6A059BB976023BC31CE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360082Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:57.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360081Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:57.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360080Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:57.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360079Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:57.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360078Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:57.295{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD3A449331FA5EB23F6B5FC91BEC8C46,SHA256=622341F8E2C8CE87C49A744FFF8A77B091660ECB09439FAA2530297435E16330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860833Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:58.714{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE6ADFADA6897126D14300AAF177220,SHA256=08539A9288FE64B50697B2F9DC426086AAC91782336AE562BB8333F3CFB092A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360086Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:58.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360085Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:58.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360084Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:58.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360083Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:58.395{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C97F8FAB9492D4064E4B7242D2E678E,SHA256=C38CC67BBB43371369F210372A21A96630B5CE902FB984400813F89232757F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860834Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:59.761{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A11580D2C1F2242248C5E9119830D52,SHA256=F283AB9EFC425164AC841DBDF80493B085113917967FF9F63A94797EC2163A27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360092Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:59.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360091Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:59.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360090Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:59.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360089Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:59.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360088Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:59.399{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028B35EB8B98EA332AC3579386C434D7,SHA256=5FA92AD2AC7341B4CD13EFB11C0724F4336FBBFD1C2B3CF6056F30305BD363D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360087Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:58.607{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000860835Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:00.792{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776B015DFB2D67CD527EB0C6951F0548,SHA256=14A0984F8E7217757D1392EFF3C0DBC61F37371FFD9E3675AD786E8D0919BC15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360099Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:00.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360098Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:00.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360097Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:00.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360096Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:00.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360095Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:00.414{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21878404BA593252F22139D9C3AA2591,SHA256=CCF85FB0158FE3BAD6EE157D7C605DFA5B95863E9111B927AC1F5C60C848FE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006360094Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:00.144{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B7EE00191B02F183F28C73A71746752,SHA256=DCD8032C174B9590514506704878EACB77DFE6A6B76E2503465E26B8C1A5B42A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006360093Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:00.143{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9149BB542C6486A7587924790ABC0CEF,SHA256=788E6C691F3C1FDC39BB84598C2935474C4D29DD9594513C14F2CDACF6F7DF4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860839Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:01.808{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1DCD6B54AD672BE95FB4AE28243BAC8,SHA256=D05B59CE5CC078537DF1A8609AD123EC4BD5C1BFD618D50EE931B78D06097471,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360105Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:01.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360104Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:01.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360103Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:01.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360102Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:01.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360101Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:01.421{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD682A6679CEDD103FD4B6A444214201,SHA256=5153C55FA4636E5594B7ED89947903381B08C8E64E7C3F4C305E41F0334B628A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860838Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:55:56.476{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55024-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860837Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:01.073{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=085F2F7108C13B5BC86773D3471CF2BF,SHA256=65521B5A4D30B7ED001D76D950731B64616C1F6D3ACE67D512DBED6DC14CD540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860836Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:01.073{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8336C998EB0D35FDE57423D346C10B04,SHA256=333B32FD1DC469D8934903CB2CDB0DCA2A1854541CFD9F0535274D920950BC16,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006360100Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:55:57.695{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1116-false10.0.1.12-8000- 23542300x8000000000000000860850Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:02.902{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0D5357D93DC91F20AE78A9780D6E37,SHA256=E8A896DDAD445A57AE7A5FF98CB48959E8AE1BB1ED821D58790A122898680D58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360110Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:02.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360109Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:02.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360108Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:02.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360107Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:02.608{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360106Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:02.442{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9344A1A807E04ADDE960ED0196A99331,SHA256=8BDC4939EA5A4DCBB41C10EDF19ED0D86E1F98EA9127D05D90C6E8076AC02D36,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000860849Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-25 16:56:02.855{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000860848Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-25 16:56:02.855{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc045c7) 13241300x8000000000000000860847Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-25 16:56:02.855{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7218f-0x5acb7802) 13241300x8000000000000000860846Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-25 16:56:02.855{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d72197-0xbc8fe002) 13241300x8000000000000000860845Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-25 16:56:02.855{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d721a0-0x1e544802) 13241300x8000000000000000860844Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-25 16:56:02.855{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000860843Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-25 16:56:02.855{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc045c7) 13241300x8000000000000000860842Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-25 16:56:02.855{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7218f-0x5acb7802) 13241300x8000000000000000860841Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-25 16:56:02.855{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d72197-0xbc8fe002) 13241300x8000000000000000860840Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-SetValue2021-03-25 16:56:02.855{BFB545BB-B865-6058-0B00-00000000AF01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d721a0-0x1e544802) 23542300x8000000000000000860851Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:03.917{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61F22A9CC00CF1A67607DC521EF2406,SHA256=7DC872C76702527C62871D8916B300482148A0C3B88E93928D4CC42356764ED0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360115Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:03.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360114Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:03.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360113Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:03.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360112Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:03.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360111Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:03.457{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9FC6E99B6E193758134EC4EB68004A5,SHA256=A5AA9965224778B962C56CBE0FB1D7083130FFD6798AF87EBF42052B8AC5CCD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860852Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:04.964{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0368752735EFDF50F89CC0BAEAAB45EC,SHA256=995A276CE1499813E705953277252D63D2E8C18F00DE0DFA04D3F190A8D4F382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360121Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:04.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360120Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:04.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360119Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:04.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360118Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:04.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360117Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:04.468{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73972F4303EA106C8BAB2FCA302C721,SHA256=6C39B6D00B20BF36121A7E960662D405A563EA2E6077289A37C5BCD4370FFE21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006360116Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:04.070{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B7EE00191B02F183F28C73A71746752,SHA256=DCD8032C174B9590514506704878EACB77DFE6A6B76E2503465E26B8C1A5B42A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860853Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:05.995{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F2214BBDBF4FE10FE109338931A39F,SHA256=87E851B0E7AF457016A33C4E2786AB311B4738815011543B96AAFB58A4AC5345,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360130Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:05.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360129Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:05.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360128Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:05.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360127Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:05.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360126Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:05.485{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05050D52EEC6B4F2E51D62F0C8450B5,SHA256=4781715372301449E47B9DE51C52814238F03C19E117A632FEDD241ED9431B7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006360125Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:01.737{896A638B-B5DC-6058-3900-00000000AE01}3340C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1120-false169.254.169.254-80http 354300x80000000000000006360124Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:01.651{896A638B-B5DC-6058-3900-00000000AE01}3340C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1119-false169.254.169.254-80http 354300x80000000000000006360123Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:01.620{896A638B-B5DC-6058-3900-00000000AE01}3340C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1118-false169.254.169.254-80http 354300x80000000000000006360122Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:01.619{896A638B-B5DC-6058-3900-00000000AE01}3340C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1117-false169.254.169.254-80http 10341000x80000000000000006360136Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:06.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360135Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:06.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360134Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:06.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360133Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:06.609{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360132Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:06.499{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=445076DAD9BC5CB2690D258AC7349C12,SHA256=37FF426F8E21ED78D79E9D8B141847A3604969A31CFB2AAE7995F462C8022814,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860856Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:01.538{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55025-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860855Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:06.167{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=773089BE8A9A0A56DD12E237B657492F,SHA256=BF39F0FFBC1D72F6121A9DDAAC3008276389D1189080BA99A5DB2235AB42AB34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860854Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:06.167{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=085F2F7108C13B5BC86773D3471CF2BF,SHA256=65521B5A4D30B7ED001D76D950731B64616C1F6D3ACE67D512DBED6DC14CD540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006360131Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:06.250{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF64C603DD0675F63DF7F5359B2FCD99,SHA256=22CEDAE0B2ECF75724C10A6468482B1A9BB7BAC0191FF0BFE956BFB3786EDF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006360143Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:07.649{896A638B-B5CA-6058-1200-00000000AE01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=96F80047EB37D0632E7A87020CE0D666,SHA256=E5BF83991016CFB1C6751D5508CC2038E7100692013205A1588AADD7093BEB64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360142Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:07.610{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360141Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:07.610{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360140Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:07.610{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360139Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:07.610{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360138Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:07.503{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858634882BFACA1EE86F46526D3B5C78,SHA256=9A600A295BF7B161BE615DA4FBE9C4426661ED9AD368900503C86081D4E09086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860857Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:07.011{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7F66C5CD6D03B204849AD23EAEA61D,SHA256=EC5139DBCEB9DEAF1BAC9D505553159FD280CBD6E7B20B283858E476E504F236,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006360137Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:03.574{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1121-false10.0.1.12-8000- 10341000x80000000000000006360179Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.697{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360178Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.697{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360177Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.697{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360176Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.697{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360175Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.697{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360174Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.697{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360173Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.697{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360172Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.697{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360171Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.697{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360170Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.697{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360169Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.697{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360168Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.697{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360167Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360166Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360165Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360164Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360163Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360162Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360161Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360160Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360159Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360158Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360157Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360156Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360155Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD63-605C-1987-00000000AE01}7848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360154Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360153Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360152Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.696{896A638B-B5CA-6058-0D00-00000000AE01}884904C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360151Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.610{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360150Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.610{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360149Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.610{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360148Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.610{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360147Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.516{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC0715FE61273319F060B08C9232828,SHA256=BA321ADB625E3B4C7D4F00399D705F035304E67DD3171EB80B61FBD0DE1A2343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860858Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:08.073{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C7BEE38E0E5BC6DB13351E4F18A115,SHA256=0D6BC8318E973975C08EE7A67DCC41E018BC629FBCCE971B427865729E344CCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006360146Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.062{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=581425668875FD797469393B232F4281,SHA256=E9F7C2C7B6567202A9623DF7616513EBACD1B8C3CC406FF4675664673607B38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006360145Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.014{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000006360144Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-DeleteValue2021-03-25 16:56:08.006{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileName 23542300x80000000000000006360190Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:09.735{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEFF8E2EB69F5CE7784D78981B25421B,SHA256=CAF9F5E5768BC1EB08D28891C986EB44950C23A20ED5B33C34F7CE6271B74428,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360189Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:09.610{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360188Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:09.610{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360187Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:09.610{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360186Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:09.610{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360185Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:09.589{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0EDED3DECCDDF32D3BBC9064D6DE69C,SHA256=8D769D326C48BA52FAC686B637B8A7FDB37139C70E08962D21523B2BD8BAA701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860859Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:09.151{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1709207C41E4DDB18D0D4940181CDC36,SHA256=F8158EA67F560127D169CBBB251A8AF49BE84B751B13D96145637A4A46AC8018,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006360184Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:06.092{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1122-false52.84.161.37server-52-84-161-37.sea19.r.cloudfront.net443https 354300x80000000000000006360183Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:06.074{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53041- 354300x80000000000000006360182Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:05.617{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local56663- 23542300x80000000000000006360181Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:09.017{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E0868583067D7DE120412C64B2EEB738,SHA256=D7E4633630390EC1327BFBABE72029809E800B6FEECA62332747EDDA3D2D5C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006360180Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:09.016{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DEFCD31AF7F75AF5751A5752A62BA899,SHA256=93C3F8F8FD6EDD72D3AE8D48C2800609EADD1F435A2D2374E2CA0055A0D8455F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360195Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:10.611{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360194Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:10.611{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360193Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:10.611{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360192Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:10.611{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360191Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:10.595{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D69BA1F3FAC0C00FDD73FF16E9A118,SHA256=78D6CB0EBAF911EB699B50CC18F4E3A1414CB731D031BE835C7A262D5D682952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860860Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:10.167{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5913DC21009C5CBB081D31920E57C59,SHA256=6A286C5C54E63D3A9A614FD5637604D6ED58C3D043363421F943C53EFC35446D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000860864Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:06.585{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55026-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000860863Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:11.214{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A526C5DFBB39D32687DBFFB9C7667950,SHA256=B50BD580901129A549BA42DADDCED635C972799A970A7F8A28120B9BAEB40358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006360201Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:11.622{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B5CE709DBA9544920927B048FBD4D0,SHA256=7E84CA15F8C38F94CB127651AE00272C4324C067CEEC5F8567A919DE0B3C9387,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360200Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:11.611{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360199Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:11.611{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360198Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:11.611{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360197Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:11.611{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000006360196Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:11.155{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAC7859FE3ABB26E64443111CC8D0C67,SHA256=BD961C0B1C7E0208C6258FF72C59ED0D2C67EF8EEA9B7B92E110EBD2F89AD2FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860862Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:11.198{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A1C7BAAE6970FF1EB75679A2EF59344,SHA256=E109876F21A8C0899827D459FE9AEB76E7E25B8D4A9488F309640079C06665E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860861Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:11.198{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=773089BE8A9A0A56DD12E237B657492F,SHA256=BF39F0FFBC1D72F6121A9DDAAC3008276389D1189080BA99A5DB2235AB42AB34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006360207Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:12.628{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D623ACBE22CCB62AD70EABE4502494,SHA256=68E89D5FAE90253CDF9B9989DE8538A9D666AF661A50B7F5CB60E92144640C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860865Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:56:12.230{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350C39D5CA99313085C9B0667ED2ECBB,SHA256=5A8C52D1FF3DB3ED6A450D313DA4E77725472CC7FBF2D2CE2C766815A43151B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006360206Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:12.612{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360205Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:12.612{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360204Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:12.612{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360203Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:12.612{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000006360202Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:08.702{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1123-false10.0.1.12-8000- 10341000x80000000000000006360211Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:13.612{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360210Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:13.612{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360209Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:13.612{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000006360208Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:56:13.612{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821