23542300x8000000000000000860459Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:02.981{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29650D4D00EF2580B4F49A0F7B762B7,SHA256=A724E3BB7D78971C217A2D6B15C862D6F3335663C07AA28D255CD0C924280CBC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006358856Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:02.563{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66752473E6A492DFAE0CD4EAE118A95,SHA256=FAC5EBAFAF6E8DA7FE1CDBB1D3E53B86016507D7F4E3E6920F89503D0B3B5C58,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860460Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:03.997{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABFCD815DA564CACB0FC3D23784A4449,SHA256=24E70D75F40A3D5B558682A87E19EAB275B2AA16D7BFD9F1E7D61CD3576EEDF0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006358861Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:03.644{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B0F1C263646DD4CA1F2617CA634199,SHA256=6530CBAF29FC3A4734278DD71D40331A315DFB639E7A70866B48643C02F5A80D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006358860Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:03.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358859Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:03.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358858Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:03.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358857Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:03.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x80000000000000006358869Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:01.734{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1075-false10.0.1.12-8000-
23542300x80000000000000006358868Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:04.653{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB5911E87FDBF4E8E11C20819EA9E3B,SHA256=B96F110F5D9ADE0DA7E08F64003C0A3F23A0FBE212598E9721AB3E7C863E3C4D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000860463Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:04.153{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1500-00000000AF01}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x8000000000000000860462Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:04.153{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1500-00000000AF01}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x8000000000000000860461Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:04.153{BFB545BB-B865-6058-0C00-00000000AF01}9402216C:\Windows\system32\svchost.exe{BFB545BB-B866-6058-1500-00000000AF01}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006358867Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:04.189{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0646698DA8B8A7BC39F90679A4017B85,SHA256=4A0E34A39D7357AFD91B5A4E6D6E055030C2E904621AEF8D677DF41AAD24AD8C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006358866Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:04.188{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=932BBDD91B37B167299A581BC64EBB85,SHA256=821A57FE144E93B78DFFB3826C05F49FA0D47939A4C65546B73C1C97891076B3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006358865Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:04.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358864Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:04.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358863Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:04.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358862Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:04.006{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006358874Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:05.674{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E724751F7C2A5C3BE33E9832D04DD91A,SHA256=C699B5B94023D67AABBE648375459B0374A7C23E91BB812B3F776BD5F4A3651E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860464Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:05.028{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3AC9B17C622B787E242A8AAC239A86C,SHA256=3B2DC20ECD55E6DCD9D68640D321F3705B81E10C254DE86881D08AA235DB7C12,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006358873Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:05.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358872Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:05.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358871Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:05.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358870Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:05.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006358879Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.681{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=788FD95B11A42E8F0929FE2075936A19,SHA256=33B3627EA1BB7BBD72928B951256250D98F0B9FB9B9E4DF6335AA142807A8746,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000860468Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:01.525{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55001-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
23542300x8000000000000000860467Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:06.122{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9407C3BFC174D7CA0073F80410FFC68,SHA256=F563FB1371CECFDE998E8B62939BED60B3C4FD98CD217B28DB0EF7D1D3E0B16C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860466Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:06.122{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9CD681E9129511E84EC0B5B1FA06C00,SHA256=4373D46D412A4DF2FBE5F86CD4CA8F295542D78D72F8DF4F5666A14546F6CEB1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860465Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:06.043{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121FA9FD349FAB9B0D08E9A799CC24FA,SHA256=438553AE47CC2F2DADBE71F5517A3503372E89E27D7E015E173DBC3B62128448,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006358878Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358877Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358876Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358875Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006358905Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.892{896A638B-B5CB-6058-1600-00000000AE01}1308NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates\downloading\BITC17A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006358904Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.706{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC180C8D986C64C17A37546016CEFBAC,SHA256=DF73B4545E234D1C1D1B3513AAFC89CBFBD0285FEEAAB203AAD054D56970DE34,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006358903Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.698{896A638B-B5CB-6058-1600-00000000AE01}1308NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates\downloading\BITC17A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860469Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:07.059{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B23CECE26FB128D3F98E2AB46016CA,SHA256=A52550A4A283D960F755A3B23DD6CAA116F23D4AC3B591093A5A37609BA168A7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006358902Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.694{896A638B-B5CB-6058-1600-00000000AE01}13084668C:\Windows\System32\svchost.exe{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\qmgr.dll+2f267|c:\windows\system32\qmgr.dll+2db8f|c:\windows\system32\qmgr.dll+1f9de|c:\windows\system32\qmgr.dll+1fd4c|c:\windows\system32\qmgr.dll+1fb85|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b
10341000x80000000000000006358901Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.680{896A638B-B5CA-6058-1300-00000000AE01}3882296C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e
10341000x80000000000000006358900Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.673{896A638B-B5C8-6058-0B00-00000000AE01}6126888C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358899Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.672{896A638B-B5C8-6058-0B00-00000000AE01}6126888C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358898Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.667{896A638B-B5C8-6058-0B00-00000000AE01}6126888C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e
23542300x80000000000000006358897Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.646{896A638B-B5CA-6058-1200-00000000AE01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0BF65B42F43E5D7CF27101C28E685ECA,SHA256=2A06980D214858202BE3955160371EA711144BF254F9446486AE241821FA870A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006358896Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.642{896A638B-B5C8-6058-0B00-00000000AE01}6128108C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e
10341000x80000000000000006358895Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.613{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358894Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.613{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358893Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.613{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358892Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.613{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358891Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.612{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358890Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.612{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358889Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.612{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358888Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.612{896A638B-B5C8-6058-0B00-00000000AE01}6128108C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358887Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.612{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358886Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.611{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358885Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.611{896A638B-B5C8-6058-0B00-00000000AE01}6128108C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
13241300x80000000000000006358884Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-SetValue2021-03-25 16:54:07.604{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileNameGlobal\MMF_BITSeb4f0a61-2545-408a-a3c5-94bcc9e30c81
10341000x80000000000000006358883Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358882Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358881Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358880Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x80000000000000006358991Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.428{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1080-false99.84.73.60server-99-84-73-60.hio50.r.cloudfront.net443https
354300x80000000000000006358990Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.357{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53193-
354300x80000000000000006358989Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.332{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53193-
354300x80000000000000006358988Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.322{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1079-false52.26.78.84ec2-52-26-78-84.us-west-2.compute.amazonaws.com443https
354300x80000000000000006358987Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.292{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55081-
354300x80000000000000006358986Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.267{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local55081-
354300x80000000000000006358985Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.228{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1078-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local47001-
354300x80000000000000006358984Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.228{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1078-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local47001-
354300x80000000000000006358983Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.205{896A638B-B5C0-6058-0100-00000000AE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1077-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local47001-
354300x80000000000000006358982Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.205{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local1077-true0:0:0:0:0:0:0:1win-dc-792.attackrange.local47001-
354300x80000000000000006358981Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.092{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-792.attackrange.local1076-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https
354300x80000000000000006358980Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.077{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53848-
354300x80000000000000006358979Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.077{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local65028-
354300x80000000000000006358978Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.075{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local65369-
23542300x8000000000000000860470Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:08.075{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3C5BC87E9856CF9B7ECF09FCA38832,SHA256=AF62482D769998ABD4C116C591E3622292E25E9296CA3AD16FC52B2DC0DE1BA1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006358977Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.655{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DEFCD31AF7F75AF5751A5752A62BA899,SHA256=93C3F8F8FD6EDD72D3AE8D48C2800609EADD1F435A2D2374E2CA0055A0D8455F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006358976Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.653{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E0E451643E36377E58E313593766C2D9,SHA256=D456F8E2C1254E48D6FDA3E8C7F43B3A3155C6EF7E95F1F9BD0CFC74FEB0CCEB,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006358975Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.434{896A638B-B5CA-6058-0D00-00000000AE01}8845328C:\Windows\system32\svchost.exe{896A638B-B5CA-6058-0C00-00000000AE01}824C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
11241100x80000000000000006358974Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.309{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\xul.dll2021-03-25 16:54:08.309
11241100x80000000000000006358973Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.309{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\vcruntime140.dll2021-03-25 16:54:08.308
11241100x80000000000000006358972Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.307{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updater.exe2021-03-25 16:54:08.307
11241100x80000000000000006358971Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.303{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\uninstall\helper.exe2021-03-25 16:54:08.303
11241100x80000000000000006358970Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.293{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\ucrtbase.dll2021-03-25 16:54:08.293
11241100x80000000000000006358969Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.292{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\softokn3.dll2021-03-25 16:54:08.292
11241100x80000000000000006358968Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.291{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\qipcap64.dll2021-03-25 16:54:08.291
11241100x80000000000000006358967Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.288{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\plugin-hang-ui.exe2021-03-25 16:54:08.287
11241100x80000000000000006358966Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.286{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\plugin-container.exe2021-03-25 16:54:08.286
11241100x80000000000000006358965Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.285{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\pingsender.exe2021-03-25 16:54:08.285
11241100x80000000000000006358964Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.277{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\osclientcerts.dll2021-03-25 16:54:08.277
11241100x80000000000000006358963Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.258{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\nssckbi.dll2021-03-25 16:54:08.257
11241100x80000000000000006358962Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.256{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\nss3.dll2021-03-25 16:54:08.255
11241100x80000000000000006358961Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.255{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\msvcp140.dll2021-03-25 16:54:08.255
11241100x80000000000000006358960Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.254{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozglue.dll2021-03-25 16:54:08.254
11241100x80000000000000006358959Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.253{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozavutil.dll2021-03-25 16:54:08.252
11241100x80000000000000006358958Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.250{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozavcodec.dll2021-03-25 16:54:08.250
11241100x80000000000000006358957Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.249{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\minidump-analyzer.exe2021-03-25 16:54:08.249
11241100x80000000000000006358956Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.249{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\maintenanceservice_installer.exe2021-03-25 16:54:08.249
11241100x80000000000000006358955Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.248{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\maintenanceservice.exe2021-03-25 16:54:08.248
11241100x80000000000000006358954Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.245{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\libGLESv2.dll2021-03-25 16:54:08.245
11241100x80000000000000006358953Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.244{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\libEGL.dll2021-03-25 16:54:08.244
11241100x80000000000000006358952Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.244{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\lgpllibs.dll2021-03-25 16:54:08.244
11241100x80000000000000006358951Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.239{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\IA2Marshal.dll2021-03-25 16:54:08.239
11241100x80000000000000006358950Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.236{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\gmp-clearkey\0.1\clearkey.dll2021-03-25 16:54:08.236
11241100x80000000000000006358949Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.234{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\freebl3.dll2021-03-25 16:54:08.234
11241100x80000000000000006358948Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.224{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\firefox.exe2021-03-25 16:54:08.224
11241100x80000000000000006358947Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.220{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\default-browser-agent.exe2021-03-25 16:54:08.220
11241100x80000000000000006358946Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.194{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\d3dcompiler_47.dll2021-03-25 16:54:08.193
11241100x80000000000000006358945Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:08.192{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\crashreporter.exe2021-03-25 16:54:08.192
354300x80000000000000006358944Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:05.554{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local50992-
11241100x80000000000000006358943Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.140{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-utility-l1-1-0.dll2021-03-25 16:54:08.140
11241100x80000000000000006358942Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.137{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-time-l1-1-0.dll2021-03-25 16:54:08.137
11241100x80000000000000006358941Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.134{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-string-l1-1-0.dll2021-03-25 16:54:08.134
11241100x80000000000000006358940Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.132{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-stdio-l1-1-0.dll2021-03-25 16:54:08.131
11241100x80000000000000006358939Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.130{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-runtime-l1-1-0.dll2021-03-25 16:54:08.130
11241100x80000000000000006358938Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.129{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-process-l1-1-0.dll2021-03-25 16:54:08.129
11241100x80000000000000006358937Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.128{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-private-l1-1-0.dll2021-03-25 16:54:08.128
11241100x80000000000000006358936Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.127{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-multibyte-l1-1-0.dll2021-03-25 16:54:08.126
11241100x80000000000000006358935Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.125{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-math-l1-1-0.dll2021-03-25 16:54:08.125
11241100x80000000000000006358934Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.121{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-locale-l1-1-0.dll2021-03-25 16:54:08.121
11241100x80000000000000006358933Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.119{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-heap-l1-1-0.dll2021-03-25 16:54:08.119
11241100x80000000000000006358932Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.118{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-filesystem-l1-1-0.dll2021-03-25 16:54:08.118
11241100x80000000000000006358931Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.117{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-environment-l1-1-0.dll2021-03-25 16:54:08.117
11241100x80000000000000006358930Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.117{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-convert-l1-1-0.dll2021-03-25 16:54:08.117
11241100x80000000000000006358929Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.116{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-crt-conio-l1-1-0.dll2021-03-25 16:54:08.116
11241100x80000000000000006358928Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.115{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-core-timezone-l1-1-0.dll2021-03-25 16:54:08.115
11241100x80000000000000006358927Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.114{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-core-synch-l1-2-0.dll2021-03-25 16:54:08.114
11241100x80000000000000006358926Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.113{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-core-processthreads-l1-1-1.dll2021-03-25 16:54:08.112
11241100x80000000000000006358925Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.111{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-core-localization-l1-2-0.dll2021-03-25 16:54:08.111
11241100x80000000000000006358924Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.110{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-core-file-l2-1-0.dll2021-03-25 16:54:08.110
11241100x80000000000000006358923Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.109{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\api-ms-win-core-file-l1-2-0.dll2021-03-25 16:54:08.109
11241100x80000000000000006358922Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.108{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\AccessibleMarshal.dll2021-03-25 16:54:08.107
11241100x80000000000000006358921Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:08.103{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\AccessibleHandler.dll2021-03-25 16:54:08.103
23542300x80000000000000006358920Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.046{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates\0\update.statusMD5=88F490C8471263CEFC823158BC1BD4B0,SHA256=39280623A0ED7DAB3DEA551B792A65F3E27340F5A666490ABD92DE58C5F9A020,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006358919Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.030{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006358918Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.029{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358917Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.028{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358916Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.028{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358915Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.028{896A638B-B5CA-6058-0C00-00000000AE01}8242756C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358914Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.028{896A638B-C9AE-6058-4C07-00000000AE01}34204632C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+39c4d5a|C:\Program Files\Mozilla Firefox\xul.dll+3d3b3c|C:\Program Files\Mozilla Firefox\xul.dll+39e17ce|C:\Program Files\Mozilla Firefox\xul.dll+1c50a|C:\Program Files\Mozilla Firefox\xul.dll+39e1fe4|C:\Program Files\Mozilla Firefox\xul.dll+cb641a|C:\Program Files\Mozilla Firefox\xul.dll+4155f|C:\Program Files\Mozilla Firefox\xul.dll+403bd|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+cbe2e2|C:\Program Files\Mozilla Firefox\nss3.dll+f943a|C:\Program Files\Mozilla Firefox\nss3.dll+ecb31|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x80000000000000006358913Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.013{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exe86.0.1Firefox Software UpdaterFirefoxMozilla Foundationupdater.exe"C:\Program Files\Mozilla Firefox\updater.exe" C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates\0 "C:\Program Files\Mozilla Firefox" "C:\Program Files\Mozilla Firefox\updated" -1C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2MediumMD5=0CAAD3A6E62C8DEAFC160569FDB38EFA,SHA256=8D1FCBBF1872669F0DB776C643022C55DF92C2AD8CA6F17AB920E93539A5029B,IMPHASH=6BB751462A4674EA8871D6EED6988FCC{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"
23542300x80000000000000006358912Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.016{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0646698DA8B8A7BC39F90679A4017B85,SHA256=4A0E34A39D7357AFD91B5A4E6D6E055030C2E904621AEF8D677DF41AAD24AD8C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006358911Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.014{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006358910Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358909Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358908Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358907Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.007{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006358906Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:08.006{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates\0\update.statusMD5=21B14FA7F5DEED372D093DE77DB5C795,SHA256=EC6C7C37BE67A0E4443C2A14B2BB45414FA992D0AEE701D18E8B30DD6F99731A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006358999Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:09.904{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6301FD684A1D0E6CB0DEBA35D2A5220B,SHA256=25CA174180C19DB422FD1C0EBFC6EAA2C5B4E5F24D18C602810B16EF1CB97FDE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860471Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:09.090{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A84FE0D1BB8933CAE6A527DDA6FBD8,SHA256=30B36EA74ECBF2B8547DB75385EB8BDEC2F94C924F7976F76316595180EEBB16,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000006358998Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:06.459{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1081-false99.84.73.60server-99-84-73-60.hio50.r.cloudfront.net443https
23542300x80000000000000006358997Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:09.055{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92CE1F62026D90F329122ECD433939E,SHA256=AE7CBDEB5F8B78D57E881CE43094C5AC9089F54EDE2A3AB8CAABDF2E6B2BFB9C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006358996Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:09.054{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2D46BDF3CF530465155C79EB69AA628,SHA256=E9C9B80829DD6A911FD7D8ED4D37AF7D97B11B5CE5AD39D12355678B896786D5,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006358995Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:09.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358994Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:09.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358993Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:09.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006358992Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:09.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359005Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:10.547{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\xul.dll.sigMD5=C458200B262607EBBD3C19BC68F02056,SHA256=CBCE689916F6BD93CF3AE65BBFD2323CD8DA3A3D56058F7BC095747429DD788E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359004Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:10.074{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B50A6DA0CC8A2B845DB81EACBF9B499,SHA256=3F8177F3BF11DFDA9B7F819D9170C6E21CCDDA5EB59F9A0FCB8E8E77D895ABE0,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359003Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:10.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359002Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:10.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359001Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:10.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359000Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:10.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x8000000000000000860472Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:10.106{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7F971682F03F5A5F934AF09B0F781B,SHA256=D4B2F388CE25CD4CF22E474BC4364EF83A3FE620D6EB2CF41ADD47B2A956C324,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000006359019Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:11.767{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\xul.dll2021-03-25 16:54:08.309
23542300x80000000000000006359018Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:11.767{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\xul.dllMD5=E085DCE70C7F8C9EE9A804E9E3E8E67D,SHA256=0ECC2C0CAA97762277401B330204C0A4DC175692A51CF78EA6C2A903ACFBC0D8,IMPHASH=760C534AA07F0E10F4E1CBE431280F84falsetrue
354300x80000000000000006359017Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.630{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1082-false10.0.1.12-8000-
354300x80000000000000006359016Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.461{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-792.attackrange.local53domainfalse10.0.1.14win-dc-792.attackrange.local50021-
354300x80000000000000006359015Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.460{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-792.attackrange.local53domainfalse10.0.1.14win-dc-792.attackrange.local62794-
354300x80000000000000006359014Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.460{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local61429-
354300x80000000000000006359013Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.459{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local56936-
354300x80000000000000006359012Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.300{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local63197-
354300x80000000000000006359011Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:07.300{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local52121-
23542300x80000000000000006359010Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:11.102{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B7F0DAA0AE54919E821463951844DC,SHA256=328FE5D213D915DA0EAAAD84B0C10BA21662C8E9A4E1AECC3EEAB54741A3B8F4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860475Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:11.278{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D7793159278806FFAAB108063F9482F,SHA256=0D0C5EA80B21F73F48BE2B5955F7AD10F6A58C7F3FCDF3C38300847B5E2E7BDB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860474Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:11.278{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9407C3BFC174D7CA0073F80410FFC68,SHA256=F563FB1371CECFDE998E8B62939BED60B3C4FD98CD217B28DB0EF7D1D3E0B16C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860473Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:11.122{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E07FBF033A56E55CAF13E835C71CF4,SHA256=1A90A4F6E55B788B018E087B6ED219E80DBEB357EAF296B4AC01704C9EA3F821,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359009Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:11.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359008Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:11.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359007Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:11.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359006Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:11.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x8000000000000000860477Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:12.137{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FDC2060102675592A067610C9C2ABE,SHA256=8298F5B0B4DABC6F274267174FCD3FE20EE43A5B70C3A79054B200B09D3E51E2,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000006359079Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.746{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\crashreporter.exe2021-03-25 16:54:08.192
23542300x80000000000000006359078Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.746{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\crashreporter.exeMD5=9C565EB893C4D1CF3F85CA539009B9C8,SHA256=0129DCA6E2287A55D46F8D0F6E690CC90E96C03E1A14475881B1C4FE21447402,IMPHASH=8EBD8B03FBDBAB7D4792FDBB60C96D92falsetrue
11241100x80000000000000006359077Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.740{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\default-browser-agent.exe2021-03-25 16:54:08.220
23542300x80000000000000006359076Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.740{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\default-browser-agent.exeMD5=97D2F00500F66B6A8D7B88743DDE10C7,SHA256=DE84310FD61BADB2BB8E2844896F49EC4FFCA02C8DE694A77E2DF272A7EE0926,IMPHASH=8E4BFDD6F6CFAA4316FB1CA7E3ACBA66falsetrue
11241100x80000000000000006359075Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.730{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\firefox.exe2021-03-25 16:54:08.224
23542300x80000000000000006359074Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.730{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\firefox.exeMD5=5B68C17D571DCAB4E2FA29EE0DBEC5CB,SHA256=929A1A95196BD1165433CEBF4152A2FAB6EFC3D2EB298E08F8229C5B22AE8DC9,IMPHASH=8FBF1ADBCE9C978414F8FE0722EC7401falsetrue
23542300x80000000000000006359073Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.722{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\firefox.exe.sigMD5=E85203BFB2A5F437E93565986C2F17B8,SHA256=A02EA0645354984CDD2DF9FEE1C47143F9EB7B3860CE3A0CDD0F5049250B6690,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000006359072Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.720{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\freebl3.dll2021-03-25 16:54:08.234
23542300x80000000000000006359071Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.719{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\freebl3.dllMD5=224C0F6E09DC0D5E5E5F343765500C5C,SHA256=8E1127F8B81EC2849EF860850025E39A0DDBF0CA93855BDC54275029B45FECD3,IMPHASH=53652A7DC9DFE48EFEF7CDBD318659AFfalsetrue
11241100x80000000000000006359070Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.709{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\gmp-clearkey\0.1\clearkey.dll2021-03-25 16:54:08.236
23542300x80000000000000006359069Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.709{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\gmp-clearkey\0.1\clearkey.dllMD5=2AF446AB140C67CBEA5A00DDC3787B04,SHA256=749438B7358EC94E3859B1C96E958E7FA0CCE85BFBECEBAB5E8530C8AFF72744,IMPHASH=9616EE7CBB91354D54B7E6653D9C472Efalsetrue
23542300x80000000000000006359068Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.706{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\gmp-clearkey\0.1\clearkey.dll.sigMD5=3FACC94B632C1E857415250CE5C37B37,SHA256=4A9B930FFDE7D4B7FA01495F2AC4A6C31CDE5BE65863397961D9B43DAD8658AD,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000006359067Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.705{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\lgpllibs.dll2021-03-25 16:54:08.244
23542300x80000000000000006359066Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.705{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\lgpllibs.dllMD5=C266AB99302A0CDE9B34A32695BE3BBA,SHA256=2938AE1A7E5B4151485828759F017FEA74918408748DA64E2C2C33B091F75C79,IMPHASH=451AECEA9F58042E76D96A82BE2804FAfalsetrue
11241100x80000000000000006359065Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.704{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\libEGL.dll2021-03-25 16:54:08.244
23542300x80000000000000006359064Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.703{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\libEGL.dllMD5=F43032C3942F1584A0B45CC195D19F36,SHA256=F08887754BD6CC589DF2DB205CD37AE5F7DC1A4F62EBF097349AAFD952836B6D,IMPHASH=45C02D0DAE806A78FA0B6FD156E8FE18falsetrue
11241100x80000000000000006359063Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.688{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\libGLESv2.dll2021-03-25 16:54:08.245
23542300x80000000000000006359062Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.688{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\libGLESv2.dllMD5=E9C4523F31BFC3329414E77CE3C01D1D,SHA256=5D25BFE547DBE7FA854DE20EF9DBE74EE04862C5360F7300C8D72AF159339EB0,IMPHASH=53B978A281F673CF0A5B322B6A728EFFfalsetrue
11241100x80000000000000006359061Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.644{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\maintenanceservice.exe2021-03-25 16:54:08.248
23542300x80000000000000006359060Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.643{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\maintenanceservice.exeMD5=2C8598CD76958DE4F9DD128DA734EAE9,SHA256=C19B86BFCF91B4B64BA951A9CFFCE5BFB48C8B4338EE6BA35DCBC26EBB59D591,IMPHASH=E4793B8A2E804520C3AE2CFD62D76D97falsetrue
11241100x80000000000000006359059Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.639{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\maintenanceservice_installer.exe2021-03-25 16:54:08.249
23542300x80000000000000006359058Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.639{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\maintenanceservice_installer.exeMD5=F51270AE8DE857422D7AB0881CAC50CE,SHA256=EC97B8AC201DD92CADE670F023983721CFFADDD47160536C334E2FBEE66FF3B7,IMPHASH=E2A592076B17EF8BFB48B7E03965A3FCfalsetrue
11241100x80000000000000006359057Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.635{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\minidump-analyzer.exe2021-03-25 16:54:08.249
23542300x80000000000000006359056Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.635{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\minidump-analyzer.exeMD5=54076F8E5429754913F374EF22566F88,SHA256=A113C6F7E58C038D0BE3913BD9F4FC71147B83259B5B5BEF8BED3700512FE76C,IMPHASH=C026F4538962546154985082F0414A24falsetrue
11241100x80000000000000006359055Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.623{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozavcodec.dll2021-03-25 16:54:08.250
23542300x80000000000000006359054Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.623{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozavcodec.dllMD5=076CAAA89D765790AF1ECF20C3A30ED1,SHA256=973E67AA69BBB8A890CCB9E279361187C286D432C7499B5822CA27D2DEFAEBDB,IMPHASH=74D45A8D6BF8351712FBED4E67DB54BBfalsetrue
11241100x80000000000000006359053Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.599{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozavutil.dll2021-03-25 16:54:08.252
23542300x80000000000000006359052Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.598{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozavutil.dllMD5=A959A793B45E0D3B6DE8CD0F8C409376,SHA256=8952BAC0769A4FEB3C6ACD32BB62D654E3054D86C29AD60C2EC612460A064FA0,IMPHASH=D19ADDD1AED758A8478ED00FFFFF2420falsetrue
11241100x80000000000000006359051Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.595{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozglue.dll2021-03-25 16:54:08.254
23542300x80000000000000006359050Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.594{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\mozglue.dllMD5=64543A9C791B45E1DA4AE445F1ACC1C3,SHA256=69BCD88A556CD754FB1676A3692BA7BF86127B9A3A8B2BA9C29459D31C8924C3,IMPHASH=880BD99A47DA508AD8E7E479B22900B6falsetrue
11241100x80000000000000006359049Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.582{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\nss3.dll2021-03-25 16:54:08.255
23542300x80000000000000006359048Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.581{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\nss3.dllMD5=F90860EB40549CA33D03AC2BA9A9E4FB,SHA256=21E3D45AD815EB1A5FC1C96775076F709996924C74AA2AD741C9D8DF3AE9EEAC,IMPHASH=B394C4A0F026C7AFFA1F860C5A1674C2falsetrue
11241100x80000000000000006359047Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.555{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\nssckbi.dll2021-03-25 16:54:08.257
23542300x80000000000000006359046Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.554{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\nssckbi.dllMD5=5F6CA156D9ADCD9C57BF2F19261BAAD3,SHA256=B5A3256DC70CDFA8A7A2F59F2013DF3B4F034A31A13B46A5278B620DCA328D66,IMPHASH=5986500029C9F7E013CB3FF371CB6F5Efalsetrue
23542300x80000000000000006359045Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.490{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\omni.jaMD5=3B5F7A75F2B662CC60DC43A1DF24FC98,SHA256=1EB42426D570D6E02DF036136B7F4D721525A3CBBB934ECDA5470A7FE78EDC3D,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000006359044Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.185{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\osclientcerts.dll2021-03-25 16:54:08.277
23542300x80000000000000006359043Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.185{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\osclientcerts.dllMD5=E302A93B3212F9EC05AF221ECB067F59,SHA256=4951269EDBABBFF08E7C3A63A7552597B307F3D0FB6737248E4F3915766FB5C0,IMPHASH=AEB6155624A9EF250233718435B4BC1Afalsetrue
11241100x80000000000000006359042Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.180{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\pingsender.exe2021-03-25 16:54:08.285
23542300x80000000000000006359041Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.179{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\pingsender.exeMD5=DF0602ACE512A03016D000738C41A000,SHA256=F9BECECD2BE7D45A1503F2232E209C6CE4AF2E8B5EAEBD21766C47FFF15C6505,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632falsetrue
23542300x80000000000000006359040Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.177{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\platform.iniMD5=C22F066F88D0D18E80D54595D281914A,SHA256=A3AD4BC88211C99E690124FFD1C7019180F997630F1E5CD4EF2C05AC2E2C1E13,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000006359039Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.176{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\plugin-container.exe2021-03-25 16:54:08.286
23542300x80000000000000006359038Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.175{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\plugin-container.exeMD5=5A812EAB1A5F92C62466E553D237B1E5,SHA256=08393C4153E57F33F38FC9FA99C41D448314B00AC02340A3035DD50799F42D10,IMPHASH=0E85FC39F620360C45F1854D350219AFfalsetrue
23542300x80000000000000006359037Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.171{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\plugin-container.exe.sigMD5=18629F1F33221128B5C24196263E92A9,SHA256=12DB19AA8646017CF6EFFF88DBB1F773DA4183E2239690BCD0F1A5EA0263ABCF,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000006359036Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.170{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\plugin-hang-ui.exe2021-03-25 16:54:08.287
23542300x80000000000000006359035Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.169{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\plugin-hang-ui.exeMD5=572C2939779568E80E422627452DB601,SHA256=99AE0FE6A207CF21F142DB663BA6F7D6EEFB18FB7A22E6B32FE2D89EA519215A,IMPHASH=67E1F2F531D25FB7C5EC5E942BEF5B08falsetrue
23542300x80000000000000006359034Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.167{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\precompleteMD5=CA5EB5307F4F5A145C89CA93DCB41C90,SHA256=BA58E12F0F0C4F5CD7E761AB8DC623A3265534782DC6147FBD775579D4A441A2,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000006359033Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.166{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\qipcap64.dll2021-03-25 16:54:08.291
23542300x80000000000000006359032Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.166{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\qipcap64.dllMD5=B0BDEC002DF5A6CA91666CD00252621D,SHA256=6BA46B8BE23DFE5A33AF3022A74FD9715D3A0EA6BC7EC1D2BC55879F2B77E6FF,IMPHASH=917C52799ED8B97E2927F898C7465E04falsetrue
23542300x80000000000000006359031Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.165{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\removed-filesMD5=FEFBFAC37461BD30E05F5BEFAA1F7705,SHA256=52523DA24287C4D459131C2E4818A713A732765E06E9BBBA1CF353888BA34F9F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359030Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.163{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB036FC36BEB7C59F9C57B77DCAFD2E2,SHA256=10E6DB1128A663926214EF2D6C0CCDD024A7AE02E9B1BED06F4EC6888505719C,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000006359029Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:12.163{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\softokn3.dll2021-03-25 16:54:08.292
23542300x80000000000000006359028Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.163{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\softokn3.dllMD5=808F159384F69FE08920742561FE6404,SHA256=74EB84278C2D607A994E9CE4718225DBCA542A45D4A8054CBEBFB50D06E2A84C,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6falsetrue
11241100x80000000000000006359027Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.079{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\uninstall\helper.exe2021-03-25 16:54:08.303
23542300x80000000000000006359026Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.079{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\uninstall\helper.exeMD5=65E4C14E2AD9112C78A706CF65904AA6,SHA256=F8C071072BA245E719211F886619AD4745C280B2B2F43C2F4AA7A8773EAEAA4D,IMPHASH=E2A592076B17EF8BFB48B7E03965A3FCfalsetrue
11241100x80000000000000006359025Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:12.064{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updater.exe2021-03-25 16:54:08.307
23542300x80000000000000006359024Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.064{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updater.exeMD5=0CAAD3A6E62C8DEAFC160569FDB38EFA,SHA256=8D1FCBBF1872669F0DB776C643022C55DF92C2AD8CA6F17AB920E93539A5029B,IMPHASH=6BB751462A4674EA8871D6EED6988FCCfalsetrue
10341000x80000000000000006359023Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359022Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359021Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359020Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.008{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x8000000000000000860476Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:06.650{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55002-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
23542300x80000000000000006359095Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.620{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B0B420C2EBF4311F95CE48BB3FEF77,SHA256=2E8CFD14E2C8884D144FF22AE1BE0E9B0479C9FEA50148A29E3F6C8902B74E52,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359094Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359093Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359092Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359091Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359090Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.371{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\0.patchMD5=796559DFF422C76D1D3330368EB5AF61,SHA256=A11F54B5079384388182856AD81B257987352496B4C119E6C6C4A4E54F4E29ED,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000006359089Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:13.369{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\AccessibleHandler.dll2021-03-25 16:54:08.103
23542300x80000000000000006359088Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.369{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\AccessibleHandler.dllMD5=35CA6C59BFC8AEE6E9562BE9436D9E44,SHA256=1A556F809F4BA458C728381C9E692DC3398A3A9D7E9EFCB795356C0F294696C7,IMPHASH=E1BA3B55EB32E4C178FAE6DDB8B06FF9falsetrue
11241100x80000000000000006359087Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:13.366{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\AccessibleMarshal.dll2021-03-25 16:54:08.107
23542300x80000000000000006359086Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.366{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\AccessibleMarshal.dllMD5=90601C0711B2C86773FE74DF00FB774F,SHA256=8E347DEBC4BAFFEF769B0D073455621369DE3538D301130982A20F4C6AA2F339,IMPHASH=905B6802FDC25413D4662E31BCBD590Efalsetrue
11241100x80000000000000006359085Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localDLL2021-03-25 16:54:13.364{896A638B-C030-605C-8B89-00000000AE01}4548C:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\IA2Marshal.dll2021-03-25 16:54:08.239
23542300x80000000000000006359084Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.364{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\IA2Marshal.dllMD5=856489B65C04918AE5642EE5FC732D86,SHA256=40782891EB7B08B18140EF6C4B353B87797DAD833222FDE7699B5FF76F4B69B3,IMPHASH=D75684F47087070B549E67B7E925047Dfalsetrue
23542300x80000000000000006359083Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.362{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\application.iniMD5=843BD3168C7B7302C06991BACC54C0EE,SHA256=E4DACC1106985A2DB60FC77CC890B46D269F09E25F082FE914AC5C8F24B09A88,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359082Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.358{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\browser\features\formautofill@mozilla.org.xpiMD5=DBC664E697D6AA2E34C6D0112196BB20,SHA256=9019F0D74F67A177E375D503E88444946A295DAFAE886020E144175A2DCB48BD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359081Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.346{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\browser\features\webcompat@mozilla.org.xpiMD5=F1ED4A0A68B2A39EBCCA0473F6D1C4B7,SHA256=9B05F825BB44C82501DED2B5E963F53C5EFFE97D8193581C0AA5FD5BCEED48F7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359080Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.254{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\browser\omni.jaMD5=523DEEC4E38AA02D4ECEE8D4F97FAFAA,SHA256=BEA04C6FE3800B4D9A8CC97A51F6AD258E3BA07ECAC5CE88CF801FBD37D278DF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860478Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:13.168{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB6852225CE0F2E880DDD3F5BAA7783,SHA256=B03586B36DA57550FD794B430FFE430AF6F3A6302FE2D675DF63EFA2243CEBD0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359132Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.995{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\32.patchMD5=B195F8AE970D1438BE9C5408586B039C,SHA256=CDEE27E82543F76A905FEF58C7104EA60F293E8224AEBC98E04153F8BB493690,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359131Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.993{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\31.patchMD5=D2BCB0FBEEB3D09FA772517C005A6C25,SHA256=583A9F7AE13685819169B5D18EB586D79AAB361469617A589C93B337DD32E8DB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359130Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.630{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\30.patchMD5=06EA4C802F341488EE537BD520B1F330,SHA256=53088B6902152F4C8FE2E406C03A4D457F65BDB711381130EDDC9F1C37892984,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359129Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.628{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\3.patchMD5=4C6533339B7C411BB977C3A206A1039E,SHA256=9A6699BF2EA2A975DD5B24E59947822125152F88EA3353434344AC6BA91DEF86,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359128Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.620{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\29.patchMD5=D9FFC4A2B52DB9CA29C69E153EF178A1,SHA256=0670D469A3D50DCD15206B9378E3A344E937DAF1E1388C97137EB6AE7EE0EF8A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359127Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.614{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\28.patchMD5=C51670100134DA51C8BA1987A1F35BBE,SHA256=05F82F1AA3DA02BBF54A7136837834951DBB4E2322D1EA348184EC35A38E9A60,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359126Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.609{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\27.patchMD5=3C5F871C6E4A276BF665A7030F9D882E,SHA256=79E6D5A9AA30A7A9B8CC794586549B5263A4BD3400C89C70FF2B0F900F513991,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359125Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.608{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\26.patchMD5=3591F4DAC2293DC313AF305C170A5B5D,SHA256=926CC1DE9617E5B9F35C0CE8698A5EB9442ECF03A85116A803766B2980A322A4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359124Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.601{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\25.patchMD5=F7C613A5294FDDCBCBD7F6E54A80278C,SHA256=E728BEA647DB01D94743C922FE9CF41824FCB1AF9E7C16A02AA927DC8805DC0E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359123Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.600{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\24.patchMD5=B50868B07F9A01351F4CD6BCD95AE630,SHA256=7873F242D72CDF772688F297AC163F1FC6FD957548C4153FB03633C20924E3F9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359122Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.599{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\23.patchMD5=6F38B6EBB19241C0908DEBBDB6D5DD9E,SHA256=2FE1A6BC71EA0C9AD4DE053EA35707112BFA6B12416697D339C3333CFD720DBB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359121Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.598{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\22.patchMD5=7D5EFF8FEDD90CCE620194658CC00D57,SHA256=8E7B3AC6033F7149799FD4C3C0EAA4D7F0140645D15F02126A2C5C37FA14DC83,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359120Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.597{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\21.patchMD5=372B35B485677BEAE1026F97C492DEDE,SHA256=0FADDBBA9BAB7C55D8F9D4C7155DCD5D61CC38AC22C5182161437044330C562D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359119Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359118Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359117Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359116Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.575{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359115Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.561{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\20.patchMD5=78E3E0F58BE7DF15C7AFFB0CAF0AD567,SHA256=0A4990D9B6067F4E932FE524D059E68925633E5CBC13778ABA420AAB282E4380,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359114Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.558{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\2.patchMD5=49BEE4AD5F39EE6556C84F0608245199,SHA256=DB1E1F88CF87F36133B271DDECC50A5FADAEF27E3240DA3FE5D9894A2597ABC4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359113Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.554{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\19.patchMD5=F68CD7D1CE5054E60A7508A4B74EA1D2,SHA256=36A1D71C8D8EBD6EA5BBF4AB715C4F02CAABD7184B44464308E274C00170E464,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359112Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.552{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\18.patchMD5=8D53D708ADDDD8CC17631F89CC11879F,SHA256=A26AC19D96B30E9112B03F72979B8E82D4F720B11F47D955B4ECD4A1B3E39556,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359111Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.547{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\17.patchMD5=9CE69F5E4FAC42295B5798B5D53464F2,SHA256=EA00D2B91D243F7D55DDC7128D97E31757362B9FA97B2ADCF488E799C3B34A5D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359110Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.532{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\16.patchMD5=653607270775FD4E70D9A70938AFB2E9,SHA256=D928923FF4B34FFA2C308A785479335B5518117C375CE5D11167D1127E5F3179,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359109Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.530{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\15.patchMD5=4594F0EA34CE1A48974D06CAA06E3853,SHA256=87A819D2EFE4B4B8B4B99A7FF87E22301C4297427674A63CE509EE2EA42DDF64,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359108Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.524{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\14.patchMD5=C534BCB0B860FF2F0117E3670795F394,SHA256=E2C1A1CDA52D8922A766ACCD0A17B241E3A73F1E7ED208E7FF26EFCA9155CD36,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359107Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.507{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\13.patchMD5=F2959668F0C1C9DE35E983C33B449AB7,SHA256=5A59BC81D045BC13135B473D8131AA1CB430C8476F14AE46F0532A25FB12B442,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359106Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.503{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\12.patchMD5=FC78B0AF88649E53D5D6B4759C522FD6,SHA256=7FD62E65357BA07C9E95DFF3233976B2E94A1D7DF9633A7DD89639A4895826B7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359105Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.291{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\11.patchMD5=DDABED440CA7016F9E0197633095DBAE,SHA256=95A68EEF36C75728A79308D88731E41E8E342A4B0978C64839C8C9183CD71AE9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359104Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.288{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\10.patchMD5=35AF109E34B40A33BC7525DDD55D265C,SHA256=2525683E8B7AD56C86501CE2CB7199AD08192A1E28C410ADDA079470F3DE5AB0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359103Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.286{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\1.patchMD5=55FCFDBB25DA4E1871DD9AEF6BE9D441,SHA256=DB6C21865B495F6D00CEECF97E3876F5743BACDD69CCDA4EAF545624BFAC1C1C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359102Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.285{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E147892E724E81E0923F7CBB1B43BF,SHA256=9EE8068794832FBA825E8DE9DD026457AD176828C0BFB2613ABFFA0BE6C6DC2F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860479Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:14.184{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BDB9F522399531E8A40668CE08ECFC,SHA256=87279465B6BB5B41DBCA1D5E9C018B1A5C5BA4AA0DFF025A68E5C0800D2BBAF0,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359101Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.133{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-F3F4-6058-4510-00000000AE01}404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359100Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.133{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-F3F4-6058-4510-00000000AE01}404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359099Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.129{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-F3F4-6058-4610-00000000AE01}668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359098Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.129{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-F3F4-6058-4610-00000000AE01}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359097Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.129{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-F3F4-6058-4610-00000000AE01}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359096Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:14.128{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-F3F4-6058-4610-00000000AE01}668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359168Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.655{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138358927B8CE0D6A6172A16CF8A1AEE,SHA256=AC91A5B73B7B94BC54C0991882E16CAFE3CB139D90DDD0EFA6039258E9F385AE,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359167Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359166Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359165Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359164Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359163Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.348{896A638B-C037-605C-8C89-00000000AE01}6136ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\saved-telemetry-pings\cef37f03-1044-4461-bc0a-23a4d76972eeMD5=F75C3ECF5EE0B6C212D9304337B2661F,SHA256=9C195AF18D347FF2F488B494A777A0E5358855230572E009AB6004A493F794E4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860480Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:15.215{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D48816209890DC4D90B34116C0C13B,SHA256=777772015E20AD0BFDE8D9EBC0ACAA6A47EC2D7B7E04CD7BC469CC1FB00E077F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359162Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.263{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FFE46029C222C42FC76321D00385560,SHA256=DA0272FD6FDFE8D80D1253E3FF9F796364E6DB36411AFE725A2AB7E8855D1DA1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359161Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.262{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2718FB584A77E5F32728106353B8EA2,SHA256=06BA73CB7DF6188167AF57699B86603F8ACD169C331F1C696E01823F41A1CF81,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359160Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.200{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359159Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.182{896A638B-B5C8-6058-0B00-00000000AE01}612820C:\Windows\system32\lsass.exe{896A638B-C037-605C-8C89-00000000AE01}6136C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359158Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.182{896A638B-B5C8-6058-0B00-00000000AE01}612820C:\Windows\system32\lsass.exe{896A638B-C037-605C-8C89-00000000AE01}6136C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359157Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.134{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-C037-605C-8D89-00000000AE01}1160C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359156Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.133{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C037-605C-8D89-00000000AE01}1160C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359155Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.130{896A638B-C037-605C-8D89-00000000AE01}11606152C:\Windows\system32\conhost.exe{896A638B-C037-605C-8C89-00000000AE01}6136C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359154Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.123{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C037-605C-8D89-00000000AE01}1160C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359153Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.118{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359152Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.118{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359151Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.118{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359150Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.118{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359149Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.118{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-C037-605C-8C89-00000000AE01}6136C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359148Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.118{896A638B-C9AE-6058-4C07-00000000AE01}34202880C:\Program Files\Mozilla Firefox\firefox.exe{896A638B-C037-605C-8C89-00000000AE01}6136C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+cbd50f|C:\Program Files\Mozilla Firefox\xul.dll+cbd325|C:\Program Files\Mozilla Firefox\xul.dll+cbd371|C:\Program Files\Mozilla Firefox\xul.dll+4cf5162|C:\Program Files\Mozilla Firefox\xul.dll+13d13e2|C:\Program Files\Mozilla Firefox\xul.dll+13d323a|C:\Program Files\Mozilla Firefox\xul.dll+119394|C:\Program Files\Mozilla Firefox\xul.dll+3a76398|C:\Program Files\Mozilla Firefox\xul.dll+119800|C:\Program Files\Mozilla Firefox\xul.dll+2e4406|C:\Program Files\Mozilla Firefox\xul.dll+3b3307c|C:\Program Files\Mozilla Firefox\xul.dll+119394|C:\Program Files\Mozilla Firefox\xul.dll+2c876f|C:\Program Files\Mozilla Firefox\xul.dll+13b494f|C:\Program Files\Mozilla Firefox\xul.dll+411cb|C:\Program Files\Mozilla Firefox\xul.dll+113621f|C:\Program Files\Mozilla Firefox\xul.dll+110e84f|C:\Program Files\Mozilla Firefox\xul.dll+401be|C:\Program Files\Mozilla Firefox\xul.dll+3f8798|C:\Program Files\Mozilla Firefox\xul.dll+3f765f
154100x80000000000000006359147Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.108{896A638B-C037-605C-8C89-00000000AE01}6136C:\Program Files\Mozilla Firefox\pingsender.exe86.0.1-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/cef37f03-1044-4461-bc0a-23a4d76972ee/update/Firefox/86.0.1/release/20210310152336?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oktd6i2n.default-release\saved-telemetry-pings\cef37f03-1044-4461-bc0a-23a4d76972eeC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2MediumMD5=DF0602ACE512A03016D000738C41A000,SHA256=F9BECECD2BE7D45A1503F2232E209C6CE4AF2E8B5EAEBD21766C47FFF15C6505,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{896A638B-C9AE-6058-4C07-00000000AE01}3420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"
23542300x80000000000000006359146Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.088{896A638B-C9AE-6058-4C07-00000000AE01}3420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates\0\update-1.statusMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359145Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.015{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates\0\update.statusMD5=E1E047359086670F55D8E6B7FFCDB951,SHA256=61C1C8CDED1D1A291011FA526F8332D7B515DECF6398F0A31953862C661C88AD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359144Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.014{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\update.manifestMD5=D0A9D8E55F4A998DD8D00ABBB0D21F2D,SHA256=4B257EEEB03AD6E98AFB695879C1F0064C95D85C099219332350C212A68FEB13,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359143Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.013{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\9.patchMD5=E420F6ACFB9B425926327B3611C69F65,SHA256=CA1723EAB0265F7AB5B39C048C5F93996FADFE3C433D73B2ADB13F52A6BF3E7F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359142Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.013{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\8.patchMD5=686E953AEA76B32F35F4AB1B9F958DD7,SHA256=8A11D03B9A996043555BD6A5608B2AFC20408AB9C095915F0AA9A8C718541B07,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359141Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.010{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\7.patchMD5=C16FD15E3B5F5DAB34787A6FE381F4D4,SHA256=35EC544F2FA26EF9113DD3961B77B9E7D81E81B70DBAE7B7FE0B66643AB611C3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359140Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.009{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\6.patchMD5=65639161FC939C1F25E105DB5A7A4343,SHA256=0B36186D9423FAF0371780D0E869768BFAED73EB1A295854DC8C8C2D2A1D342D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359139Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.008{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\5.patchMD5=D8D8CD76AA487AA018138F13E54E721C,SHA256=4383792FCF0145F55F9592C83E33E5873A5C48AB935E3EB02F1D89C1B9A29A88,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359138Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.008{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\4.patchMD5=6041149D6C11D8694CC66D3CC056E9AC,SHA256=2AD9EEF1B477A4B06E39D89F00C81752C863E7596B1C37516BE37D6598871121,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359137Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.006{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\37.patchMD5=BE283F9F41F7E2E2146CFA652F874940,SHA256=FF295A413122B9094F36D1EEF8F23AED264B5EF861503CC54F1BC43BE6BCFB84,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359136Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.004{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\36.patchMD5=E1AA666DE05DC20627721DBDC42E59AD,SHA256=81F2A686EF25C8F138374E80A0C998F5B86DD2A317522EC21B92B420B086D6AE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359135Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.003{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\35.patchMD5=DA10981DEFB7482D97C0D6A7E4468D73,SHA256=BD25EA8802E47A263076F48BDD16A443140462C43CA5F2CE87B620C79EFB88B5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359134Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.002{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\34.patchMD5=40BADFF88D46D9760DF7A878DDDE1349,SHA256=D074963A6A6E154C4B2B9B228E0AD26843AD3DB95E823639C409405F419AD4D6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359133Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:15.001{896A638B-C030-605C-8B89-00000000AE01}4548ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\updater.exeC:\Program Files\Mozilla Firefox\updated\updating\33.patchMD5=142B38A68E7A22662161669B346B2B3A,SHA256=A0557EEF79AA73321ED0FFC11334A72DA511841934C055B828E1F9C1F3A8B99A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359175Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:16.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359174Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:16.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359173Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:16.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359172Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:16.576{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x80000000000000006359171Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:12.754{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1083-false10.0.1.12-8000-
23542300x80000000000000006359170Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:16.355{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F981A7A36D4C57DB544CAEDEBF6A5846,SHA256=6DE4EB1A8F9895A8F6E6865025ED4FC5E3ABA5F7AF8EB51113F1BCBCEF129D53,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359169Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:16.355{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FFE46029C222C42FC76321D00385560,SHA256=DA0272FD6FDFE8D80D1253E3FF9F796364E6DB36411AFE725A2AB7E8855D1DA1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860481Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:16.246{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E9509E1ED4E0685BDD9153725C5A9B,SHA256=C12F227ED1DA8FA628CD6910115AD86DE83B8E0F56E6BB1FC287309B896F956D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359186Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.604{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359185Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.604{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359184Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.600{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-FBAD-6058-BF11-00000000AE01}100C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359183Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.600{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-FBAD-6058-BF11-00000000AE01}100C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359182Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.600{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-FBAD-6058-BF11-00000000AE01}100C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359181Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.600{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-FBAD-6058-BF11-00000000AE01}100C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359180Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359179Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359178Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359177Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359176Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:17.361{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCB9C84AE6CFF435F1DA475E8308267,SHA256=2AE0B2B588BBF76D8148329545014B7225B2FF999314A1385AD553981A687961,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000860485Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:12.494{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55003-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
23542300x8000000000000000860484Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:17.278{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077F14F45AB8795E4914403C2731FAA2,SHA256=35C0424130BA7CA544AFC1D45317DFE29008E8F16DF159FF32EB8999B4806098,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860483Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:17.106{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADB49A3A301A908C9D1414FCC383A412,SHA256=03A8B1864AA26531CF06BBF338561C8D49C50B804EB953F1CB81336218625F00,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860482Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:17.106{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D7793159278806FFAAB108063F9482F,SHA256=0D0C5EA80B21F73F48BE2B5955F7AD10F6A58C7F3FCDF3C38300847B5E2E7BDB,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359191Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:18.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359190Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:18.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359189Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:18.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359188Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:18.391{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813CC910C3840117E35B29F50A067EF5,SHA256=03CBF1E4A566F3468E154399FF438CAABB925DB2FAC8629B1DD27DE5C7921A47,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860486Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:18.293{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D177CDA3480F05B9C2BC0DA231B534,SHA256=3AF4479850467870FF6E1FB64F7A48FDD35FD8145C5C900DD11A420DDB290894,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000006359187Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:13.807{00000000-0000-0000-0000-000000000000}6136<unknown process>-tcptruefalse10.0.1.14win-dc-792.attackrange.local1084-false52.35.57.239ec2-52-35-57-239.us-west-2.compute.amazonaws.com443https
10341000x80000000000000006359197Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:19.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359196Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:19.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359195Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:19.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359194Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:19.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359193Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:19.397{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F4508C380BFCC85A27AA549AB51A1D,SHA256=068A499CFB59654382C3142366B2EC653391302A2410103C5A37BBC914445EB9,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359192Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:18.577{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x8000000000000000860487Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:19.325{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEACC7CFD9D5F8EF62E73015DC8B6068,SHA256=C9A5638AA17A50CC751C8FA841777884D1787A7D48049C6BCB25D4CF968FB85B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860488Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:20.340{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F22A31F7F2007C9EC2AF0DF07610741,SHA256=C090D811298FAAE17FCB4BC87E94AC49C3E2344B66A9AB95105C43CB3B00385E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359202Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:20.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359201Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:20.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359200Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:20.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359199Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:20.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359198Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:20.417{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFC83B801BABC38BC4B946566211A1C,SHA256=AB8FD666CE06D166A13E5F72162930C08D610D8392D163047F3F9FAB9AD4903E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359209Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:21.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359208Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:21.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359207Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:21.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359206Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:21.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359205Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:21.430{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878E637F88A978FFDDB0861BDBEEFE26,SHA256=5B585B4085C0AF806F989010F57308892FAB0BFB192BB9E0586B9DAFADEA002B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860489Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:21.340{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CD4217372050D8D9710125A83D1151,SHA256=9C3EA724724E628DCA848C5C0A12246438D629A0265CE65343294176EC9C8733,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000006359204Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:18.631{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1085-false10.0.1.12-8000-
23542300x80000000000000006359203Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:21.092{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6603F46E87625C9829026BB3051AF5A,SHA256=9C56D01C4830E5622F0EA1939A93B154CDF7D78AB9612288F9033E8317AF8AAB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359214Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:22.653{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5C8BCDD4EE2D6A2983974F34ACF7A0,SHA256=E039CC162FF0E2FCEFF182B9D3BB42014F308945B7CB7556582C0A8D85E64072,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860490Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:22.356{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68F7D5FCF9C66DF01DBF9ED8881DAA2,SHA256=B053359F0BBBC9D3F278E33622D2E2BD617DA68323621349C5818D080B1938FF,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359213Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:22.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359212Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:22.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359211Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:22.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359210Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:22.578{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359235Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.666{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA8A44C1DFE49EE3867DC44FD71C2C8,SHA256=DCB17176DD9931E55AFC6729827495209CDF28C7CA525A50121C7E0198E236D2,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000860494Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:18.478{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55004-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
23542300x8000000000000000860493Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:23.371{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3532C21469AD1547C3FDCA973BAC0F3,SHA256=2AE32606418678DE066D5C0531ECF6B1DFBA8C1AC44EA1FEB6EDE8BCEF166A86,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359234Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359233Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359232Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359231Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359230Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.279{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C03F-605C-8F89-00000000AE01}7368C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359229Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.277{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359228Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.277{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359227Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.277{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359226Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.277{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359225Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.277{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C03F-605C-8F89-00000000AE01}7368C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359224Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.276{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C03F-605C-8F89-00000000AE01}7368C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aff30069(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)
154100x80000000000000006359223Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.267{896A638B-C03F-605C-8F89-00000000AE01}7368C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
10341000x80000000000000006359222Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.257{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C03F-605C-8E89-00000000AE01}4512C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359221Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.255{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359220Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.255{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359219Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.255{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359218Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.255{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359217Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.255{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C03F-605C-8E89-00000000AE01}4512C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359216Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.255{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C03F-605C-8E89-00000000AE01}4512C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aff30069(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)
154100x80000000000000006359215Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.245{896A638B-C03F-605C-8E89-00000000AE01}4512C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
23542300x8000000000000000860492Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:23.137{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=738B4E480FB216770EFC62A51CB3ECC9,SHA256=9456C844C153B9A5988681EFB7CF017ED2DDC130CDA8CE49BDDE7C0D08DB1B03,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860491Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:23.137{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADB49A3A301A908C9D1414FCC383A412,SHA256=03A8B1864AA26531CF06BBF338561C8D49C50B804EB953F1CB81336218625F00,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359242Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:24.880{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA4DD6B1AC962CADE1AAB3F7C2D8553,SHA256=1C7DC58B0920FD9B4022C50969C1D0F88B4998E81603948A82AE1A1255346FDD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860495Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:24.403{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E010F8DD13E292ACF434BD78E36191D9,SHA256=213692AEEFB682CF811EFCD54CEA57AEB048A84C1608FC45AFCAFC40B6638939,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359241Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:24.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359240Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:24.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359239Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:24.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359238Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:24.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359237Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:24.260{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BA10B2F1C576D70A7C6E0556A7C49663,SHA256=0110E47DDB81C78B878AA483220415EEBFBC831933C6FE88643C78FD3ACDDEAE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359236Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:24.248{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDA2F94D6FF186F37F144C30D7AE8EA8,SHA256=61B64554FBFFF6C192439E54C84B740FC7E8946A54E4A5677409BD5DF2541467,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359247Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:25.886{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21EA98FB587AB527B624B737D8CEC13,SHA256=247F4CBB7DEA8719F051540D17D9DE1BFA5CC82E1CD0F22377704086FEEFFDF6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860496Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:25.403{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C11EB11B85FA0756F635401241EA1A5,SHA256=05179EC8B522A23BE8A8AB1D5A236A18FEE124FD24FF79D39BCD64A07B4DD699,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359246Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:25.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359245Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:25.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359244Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:25.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359243Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:25.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x8000000000000000860497Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:26.465{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98AE60FC8E055BD3420F4D7E76C4091,SHA256=985876C9AC843063D91F37EA64C6EDA15B4090DF095A8F552DEC8E662E8E9C9E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359253Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:26.890{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D937E0AD4B52B0E9E7026DCA02C190E,SHA256=77E239B879D5B26FFD4C4007AC426E2B412682F7D5BEBC47E9A912D1AA55FE22,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359252Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:26.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359251Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:26.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359250Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:26.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359249Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:26.579{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359248Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:26.240{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61DCB2C7661F4DDF47DA8E0C8FF61850,SHA256=E76E6FF5AEAD3752AEC1E5A4FCB4B35DC5BC25251B646A9EFBD2150B71AD9B51,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359347Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.899{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B58EB4D7A7B48B18EF857AD777C622,SHA256=B01060A3ABAB49FB0D7FC73C93C32B0082F373E7B2CBCF4EE1BD69C742A4D575,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860498Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:27.481{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9953A2DF3E871E218785EAA5C7CE0432,SHA256=985D8696204C1CD5D2C19BB4FD24E806BDB882F98A56E3CE574FE351A898D68C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359346Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.651{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7596928A64EDC323C91B544E4A0B09,SHA256=FE5E6712D40C9193EF27940FFE6CE99D478AB8B25A4BF954C740C58039384032,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359345Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.607{896A638B-FBAD-6058-BE11-00000000AE01}4492ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=FE7E5F82FEFA55F85B0D6C6D0F9D1C65,SHA256=4DDE3118225D52F5E2F1311BD6A8DBB1907ADD049170DA232C41CD8682A07E6C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359344Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359343Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359342Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359341Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
534500x80000000000000006359340Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.573{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp
11241100x80000000000000006359339Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:27.566{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmpC:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc2_decoded.exe2021-03-25 16:54:27.566
10341000x80000000000000006359338Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.559{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359337Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.559{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359336Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.543{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359335Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.541{896A638B-B8DD-6058-9202-00000000AE01}36324636C:\Windows\system32\csrss.exe{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359334Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.541{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359333Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.541{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359332Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.541{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359331Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.540{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359330Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.540{896A638B-C043-605C-9589-00000000AE01}50206208C:\Windows\system32\cmd.exe{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x80000000000000006359329Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.541{896A638B-C043-605C-9789-00000000AE01}3780C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp -decode C:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc2.txt C:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc2_decoded.exe C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-C043-605C-9589-00000000AE01}5020C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "copy %windir%\system32\certutil.exe %temp%\tcm.tmp & %temp%\tcm.tmp -encode C:\Windows\System32\calc.exe %temp%\T1140_calc2.txt & %temp%\tcm.tmp -decode %temp%\T1140_calc2.txt %temp%\T1140_calc2_decoded.exe"
534500x80000000000000006359328Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.538{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp
11241100x80000000000000006359327Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.530{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmpC:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc2.txt2021-03-25 16:54:27.530
10341000x80000000000000006359326Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.523{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359325Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.523{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359324Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.506{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359323Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.503{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359322Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.503{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359321Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.503{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359320Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.502{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359319Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.502{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359318Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.502{896A638B-C043-605C-9589-00000000AE01}50206208C:\Windows\system32\cmd.exe{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x80000000000000006359317Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.491{896A638B-C043-605C-9689-00000000AE01}1884C:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tcm.tmp -encode C:\Windows\System32\calc.exe C:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc2.txt C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-C043-605C-9589-00000000AE01}5020C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "copy %windir%\system32\certutil.exe %temp%\tcm.tmp & %temp%\tcm.tmp -encode C:\Windows\System32\calc.exe %temp%\T1140_calc2.txt & %temp%\tcm.tmp -decode %temp%\T1140_calc2.txt %temp%\T1140_calc2_decoded.exe"
10341000x80000000000000006359316Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.473{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9589-00000000AE01}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359315Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.472{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C043-605C-9589-00000000AE01}5020C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA6D95C033)
10341000x80000000000000006359314Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.470{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359313Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.470{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359312Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.470{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359311Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.470{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359310Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.470{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-C043-605C-9589-00000000AE01}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359309Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.469{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C043-605C-9589-00000000AE01}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af43b9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3aaaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b349(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3e2d74(wow64)
154100x80000000000000006359308Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.461{896A638B-C043-605C-9589-00000000AE01}5020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "copy %%windir%%\system32\certutil.exe %%temp%%\tcm.tmp & %%temp%%\tcm.tmp -encode C:\Windows\System32\calc.exe %%temp%%\T1140_calc2.txt & %%temp%%\tcm.tmp -decode %%temp%%\T1140_calc2.txt %%temp%%\T1140_calc2_decoded.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
11241100x80000000000000006359307Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.460{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-25 16:54:27.301
11241100x80000000000000006359306Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.459{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-25 16:54:27.300
354300x80000000000000006359305Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:23.761{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1086-false10.0.1.12-8000-
23542300x80000000000000006359304Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.426{896A638B-FBAD-6058-BE11-00000000AE01}4492ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=CC9B05A31AB019E6AC18A7664CC64CC8,SHA256=396C3F67B122B91A91598FA91FBB71F4BD9B24619E89593667F7097F52E18786,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359303Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.391{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14EFF6366ED3FC2A917FF5987B9E3746,SHA256=7951B138FCD8981D5FA14374CFF9A5BA76FC2A646C2D46EDC6C9BEF3E4B3FF86,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000006359302Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.localEXE2021-03-25 16:54:27.385{896A638B-C043-605C-9489-00000000AE01}7124C:\Windows\system32\certutil.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc_decoded.exe2021-03-25 16:54:27.384
10341000x80000000000000006359301Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.378{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-C043-605C-9489-00000000AE01}7124C:\Windows\system32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359300Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.378{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C043-605C-9489-00000000AE01}7124C:\Windows\system32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359299Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.362{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9489-00000000AE01}7124C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359298Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.361{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359297Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.361{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359296Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.361{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359295Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.361{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359294Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.361{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C043-605C-9489-00000000AE01}7124C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359293Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.361{896A638B-C043-605C-9289-00000000AE01}54647612C:\Windows\system32\cmd.exe{896A638B-C043-605C-9489-00000000AE01}7124C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x80000000000000006359292Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.361{896A638B-C043-605C-9489-00000000AE01}7124C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -decode C:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc.txt C:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc_decoded.exe C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-C043-605C-9289-00000000AE01}5464C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "certutil -encode C:\Windows\System32\calc.exe %temp%\T1140_calc.txt & certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe"
11241100x80000000000000006359291Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.350{896A638B-C043-605C-9389-00000000AE01}8088C:\Windows\system32\certutil.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc.txt2021-03-25 16:54:27.350
10341000x80000000000000006359290Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.342{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-C043-605C-9389-00000000AE01}8088C:\Windows\system32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359289Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.342{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C043-605C-9389-00000000AE01}8088C:\Windows\system32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359288Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.325{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9389-00000000AE01}8088C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359287Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.323{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359286Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.323{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359285Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.322{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359284Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.322{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359283Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.322{896A638B-B8DD-6058-9202-00000000AE01}36324636C:\Windows\system32\csrss.exe{896A638B-C043-605C-9389-00000000AE01}8088C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359282Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.322{896A638B-C043-605C-9289-00000000AE01}54647612C:\Windows\system32\cmd.exe{896A638B-C043-605C-9389-00000000AE01}8088C:\Windows\system32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x80000000000000006359281Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.322{896A638B-C043-605C-9389-00000000AE01}8088C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -encode C:\Windows\System32\calc.exe C:\Users\ADMINI~1\AppData\Local\Temp\2\T1140_calc.txt C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-C043-605C-9289-00000000AE01}5464C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "certutil -encode C:\Windows\System32\calc.exe %temp%\T1140_calc.txt & certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe"
10341000x80000000000000006359280Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.319{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9289-00000000AE01}5464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359279Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.317{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C043-605C-9289-00000000AE01}5464C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA6D95C033)
10341000x80000000000000006359278Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.315{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359277Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.315{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359276Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.314{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359275Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.314{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359274Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.314{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-C043-605C-9289-00000000AE01}5464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359273Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.314{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C043-605C-9289-00000000AE01}5464C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b2871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af43b9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3aaaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b349(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3e2d74(wow64)
154100x80000000000000006359272Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.303{896A638B-C043-605C-9289-00000000AE01}5464C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "certutil -encode C:\Windows\System32\calc.exe %%temp%%\T1140_calc.txt & certutil -decode %%temp%%\T1140_calc.txt %%temp%%\T1140_calc_decoded.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
11241100x80000000000000006359271Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.302{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-25 16:54:27.301
11241100x80000000000000006359270Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.301{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-25 16:54:27.300
10341000x80000000000000006359269Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.226{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9189-00000000AE01}5528C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359268Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.224{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359267Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.224{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359266Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.224{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359265Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.224{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359264Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.224{896A638B-B8DD-6058-9202-00000000AE01}36324724C:\Windows\system32\csrss.exe{896A638B-C043-605C-9189-00000000AE01}5528C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359263Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.223{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C043-605C-9189-00000000AE01}5528C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aff30069(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)
154100x80000000000000006359262Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.215{896A638B-C043-605C-9189-00000000AE01}5528C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
10341000x80000000000000006359261Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.207{896A638B-FBAD-6058-BF11-00000000AE01}10032C:\Windows\system32\conhost.exe{896A638B-C043-605C-9089-00000000AE01}6520C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359260Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.205{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359259Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.205{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359258Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.205{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359257Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.205{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359256Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.204{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-C043-605C-9089-00000000AE01}6520C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359255Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.204{896A638B-FBAD-6058-BE11-00000000AE01}4492212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{896A638B-C043-605C-9089-00000000AE01}6520C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+aff30069(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3d3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3a66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b3785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af3b312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+afe7b42b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+af37009f(wow64)
154100x80000000000000006359254Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:27.195{896A638B-C043-605C-9089-00000000AE01}6520C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{896A638B-FBAD-6058-BE11-00000000AE01}4492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
23542300x80000000000000006359359Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.921{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBF586EE6CCFAAD3865C6D9F35EC862,SHA256=AA50B13AC2CAF591B4BB705B7AD0186103E08EF05E41B11387661FC98D32B7D9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860501Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:28.496{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C5410FCFD9D76BD41CFA6D22E0CB3E,SHA256=C4EAC1ECE596E86F617CA97D024D6412DF188199B55575E9A31C0370789AB356,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359358Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.866{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359357Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.866{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359356Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.860{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359355Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.860{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359354Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.860{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359353Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359352Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359351Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359350Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359349Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.427{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A376F90D8BE82906E72A1CA4DB7F860E,SHA256=48EAD3B649E33BA5DA98D1EA2E916F71A53BFD350F21D788B6972CED2C20B232,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359348Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:28.205{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8636AF7AB6DD4A8E244A17759891FF83,SHA256=ACFEE138A11E4448A4815A7097EA981AD5576134F0896B04D5078094204C9850,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860500Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:28.137{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01ABE7083582EA776533F063B50C5CAD,SHA256=F733CC451341D6B251B49B037B908A5A74EC932E588C8B719BA2BBC52F15F638,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860499Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:28.137{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=738B4E480FB216770EFC62A51CB3ECC9,SHA256=9456C844C153B9A5988681EFB7CF017ED2DDC130CDA8CE49BDDE7C0D08DB1B03,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359364Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:29.933{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418FD5DBB246F7469C50FE467DE6C099,SHA256=5FADE3417BA0E86E87A38177AFCFFB2A183CDE754DEE5D4D9323C524CD86BA6C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860503Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:29.512{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F38D91CAE608EE60FA63274501BDF688,SHA256=AFA816338EBCCBAA98DB17D5648E199647BB3D3398BDBCE2456B1287F6941B05,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359363Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:29.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359362Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:29.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359361Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:29.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359360Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:29.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x8000000000000000860502Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:23.525{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55005-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
10341000x80000000000000006359387Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.994{896A638B-B8DD-6058-9202-00000000AE01}36325864C:\Windows\system32\csrss.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359386Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.992{896A638B-B8DD-6058-9202-00000000AE01}36323472C:\Windows\system32\csrss.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359385Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.990{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359384Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.990{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359383Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.990{896A638B-B5C8-6058-0500-00000000AE01}396464C:\Windows\system32\csrss.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359382Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.990{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359381Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.990{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359380Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.989{896A638B-C046-605C-9889-00000000AE01}65644400C:\Windows\system32\wbem\wmiprvse.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4
154100x80000000000000006359379Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.990{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe10.0.14393.4169 (rs1_release.210107-1130)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.exe"C:\Windows\System32\certutil.exe" -decodehex C:\certutil\encodedhex_clop.txt C:\certutil\clop_decode.exeC:\Windows\system32\ATTACKRANGE\Administrator{896A638B-B8E0-6058-1B64-190000000000}0x19641b2HighMD5=BF7CEA72AE186A10239F830F93492A73,SHA256=A50DFE408565C2BB011D013AC43E616B2A595B1D06EB9B083F519672732498DA,IMPHASH=442218E88D4D6AA0BE3165DD7B20A4C4{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
10341000x80000000000000006359378Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.987{896A638B-B5C8-6058-0B00-00000000AE01}612820C:\Windows\system32\lsass.exe{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359377Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.986{896A638B-B5C8-6058-0B00-00000000AE01}612820C:\Windows\system32\lsass.exe{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359376Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.978{896A638B-B5CB-6058-1600-00000000AE01}13087488C:\Windows\System32\svchost.exe{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359375Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.970{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359374Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.960{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359373Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.959{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-C046-605C-9889-00000000AE01}6564C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359372Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.947{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359371Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.947{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5C8-6058-0B00-00000000AE01}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359370Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.946{896A638B-B5C8-6058-0B00-00000000AE01}612820C:\Windows\system32\lsass.exe{896A638B-B5CB-6058-1600-00000000AE01}1308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359369Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.938{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BA2835152FE08030B00BEC2EC15AFB,SHA256=8DC824A7669938BCE414C07ED83346BB05091B6E736187E2B1D7DA06FF2093B2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860504Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:30.528{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0A65ED5C1DD21391F98A3C13F8FE0F,SHA256=BB82658EA40AD7179F9E06146B468B5616EA6D78E1085CFEEFF023A74A2A757C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359368Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359367Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359366Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359365Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.580{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x8000000000000000860505Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:31.574{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7720EAD3613A67335724B1BCEECAE743,SHA256=7113A5156A5AA30D84819E1D646E5002AC528D2B82F8059BC738F9658713F367,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359417Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.995{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC53C68A54D3A7F070A4F7E04041B059,SHA256=39E0C4F40CA6827CEFCC6C327888E7C7ECB2337F112A64685C0D138DBF84A58C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359416Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.958{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E31FA7761296C3C0008880115656FC5C,SHA256=B9307ABA6FA6D21C7E87B184662BA393232337420A4B6354C5D29367B0159EDC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359415Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.942{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ECF0529FB6919B6234BF3103C1CFF18B,SHA256=C9DEE34737D55648114D720F3C721FD57571464B38B131F063F436730934DE9B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359414Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359413Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359412Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359411Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359410Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.129{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359409Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.129{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359408Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.123{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359407Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.123{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359406Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.123{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359405Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.042{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359404Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.042{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359403Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.022{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359402Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.022{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359401Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.021{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359400Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.020{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359399Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.019{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359398Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.015{896A638B-AD63-605C-1987-00000000AE01}78486924C:\Windows\explorer.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359397Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.015{896A638B-AD63-605C-1987-00000000AE01}78486924C:\Windows\explorer.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359396Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.014{896A638B-AD63-605C-1987-00000000AE01}78486924C:\Windows\explorer.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359395Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.014{896A638B-AD63-605C-1987-00000000AE01}78486924C:\Windows\explorer.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359394Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.014{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359393Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.013{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359392Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.013{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359391Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.013{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359390Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.006{896A638B-B5CB-6058-1600-00000000AE01}13085732C:\Windows\System32\svchost.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359389Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.006{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C046-605C-9A89-00000000AE01}1976C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359388Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:31.002{896A638B-C046-605C-9A89-00000000AE01}19763336C:\Windows\system32\conhost.exe{896A638B-C046-605C-9989-00000000AE01}5392C:\Windows\System32\certutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359423Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:32.969{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D5A020F372769EC5A0B8353AE66112,SHA256=3C0AB485C54B68B1331D82B5EC1994564F1BAC6349D50A2C22A83973BC1932A8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860506Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:32.590{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAE54873FAFFDA24BC7AF202472832C,SHA256=E37F436CAAD82E1E03FB42AA00259AA8DCD4A233396A665844940A2AC374EA09,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359422Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:32.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359421Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:32.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359420Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:32.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359419Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:32.581{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x80000000000000006359418Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:29.640{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1087-false10.0.1.12-8000-
23542300x80000000000000006359437Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.991{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDA1BC2C292E28F3F0343CC9F9BB4FE,SHA256=56A026E432E9D29D546D5F5F5D63F6B9A24C13EA46B36E9B0FC7531C00A8D73D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860509Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:33.606{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468F8410D5783BEE7A9566880E61AD5A,SHA256=E707B21B9AF481E8C26623E8DB9391E2C34A42E4F9DAC91A83AF4632BD2E8F01,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359436Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.582{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359435Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.582{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359434Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.582{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359433Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.582{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359432Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.508{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C049-605C-9B89-00000000AE01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359431Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.506{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359430Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.506{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359429Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.506{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359428Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.506{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359427Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.506{896A638B-B5C8-6058-0500-00000000AE01}396356C:\Windows\system32\csrss.exe{896A638B-C049-605C-9B89-00000000AE01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359426Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.505{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C049-605C-9B89-00000000AE01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x80000000000000006359425Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:33.497{896A638B-C049-605C-9B89-00000000AE01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x80000000000000006359424Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:30.340{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local49369-
23542300x8000000000000000860508Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:33.184{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A839500CA160DE8291405C06541266CB,SHA256=C344C4C3CECD1FEE5DA557B358285B169380BA7251C65A20F60DB6AE7535C24D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860507Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:33.184{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01ABE7083582EA776533F063B50C5CAD,SHA256=F733CC451341D6B251B49B037B908A5A74EC932E588C8B719BA2BBC52F15F638,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860511Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:34.621{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D3F2E8FA9C9C2A26B7217A71B16AF7,SHA256=6BAA8DD8CDD5FBA02E05D68C2C98457461CE5C5E6640C82378CD32652319E6C3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359459Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.717{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C04A-605C-9D89-00000000AE01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359458Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.716{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359457Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.716{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359456Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.715{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359455Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.715{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359454Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.715{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-C04A-605C-9D89-00000000AE01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359453Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.715{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C04A-605C-9D89-00000000AE01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x80000000000000006359452Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.707{896A638B-C04A-605C-9D89-00000000AE01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x80000000000000006359451Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.692{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27CE3776C43D4B71B665E1DBE1E31F30,SHA256=4474EC8FA380D72F2BEF4740F53B57971F6F8F6465BABAFD5787F66AEE47436F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359450Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.583{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359449Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.583{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359448Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.583{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359447Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.583{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359446Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.193{896A638B-C04A-605C-9C89-00000000AE01}15247404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359445Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.040{896A638B-FDE5-6058-4E12-00000000AE01}38405920C:\Windows\system32\conhost.exe{896A638B-C04A-605C-9C89-00000000AE01}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359444Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.039{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359443Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.039{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359442Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.038{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359441Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.038{896A638B-B5CA-6058-0C00-00000000AE01}8243360C:\Windows\system32\svchost.exe{896A638B-B5DB-6058-2C00-00000000AE01}2172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359440Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.038{896A638B-B5C8-6058-0500-00000000AE01}396412C:\Windows\system32\csrss.exe{896A638B-C04A-605C-9C89-00000000AE01}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x80000000000000006359439Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.038{896A638B-FDE4-6058-4A12-00000000AE01}63644976C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{896A638B-C04A-605C-9C89-00000000AE01}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x80000000000000006359438Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.029{896A638B-C04A-605C-9C89-00000000AE01}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{896A638B-B5C8-6058-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{896A638B-FDE4-6058-4A12-00000000AE01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000860510Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:28.541{BFB545BB-B903-6058-D000-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-692.attackrange.local55006-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
23542300x8000000000000000860512Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:35.652{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BE43253DA0AF8C80E40ACA5567085A,SHA256=86078FD11D7451D4883592730BCFE3AA724766C18AFF82C10B09DFFAC523F90F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359465Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:35.723{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=068C22BE7FDD3700E46A62329DE68FF5,SHA256=40AA6F252CC6FCCDBBA043550EC301952ABA0688BA3E64428C8176A47D49C225,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359464Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:35.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359463Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:35.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359462Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:35.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359461Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:35.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359460Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:35.001{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855C8C0F8B2D4DF8FE3457AB0B41513A,SHA256=9E3A49AF57E40E7ADA87D85A090985775D6146018520CC435A02B11349B67E14,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860513Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:36.668{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3382A00ADE86F62D153E6234C8959B6,SHA256=A45ACC17759BFCDC0638680471653D519B3B49A6A9D3E081FFB6ADCF63567E85,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359470Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:36.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359469Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:36.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359468Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:36.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359467Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:36.584{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359466Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:36.006{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBFEE8A68D499C142E8711CA213F932,SHA256=69FBDCFD1A1F8AA386C063A903B7DC2BB78ECED62761FA617D3A92605FAA0287,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860514Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:37.668{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19E93E707397CD192BBD249618B03FC,SHA256=84E16FE13DCCE408AEEA1A13AA24BD65D294C1F0DEF96D6A9FDC1CADA886B6AE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359477Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:37.666{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7336439D3FDA545629DEC1BDAE9D5283,SHA256=847BABEF77D70FE6810DA4A9678CEE9A33EACE26C9EF29522B7A7ED9DEF649C8,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359476Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:37.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359475Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:37.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359474Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:37.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359473Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:37.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x80000000000000006359472Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:37.215{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76383BA1E6A5860469FED99D0BA2A3D3,SHA256=9C81C7F463362512A9DBAD4DD1B84CA480FEEE0495A756636B965884512DD7F5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000006359471Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:37.031{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DA51E0A9422C81BDE344053D8A1BBF,SHA256=E89C823984AB78B7EF789FE20435C70A0F5A6E4294AF672F3F1B47CB119A07F9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860515Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:38.699{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DACFCD3E5AFDE0FB463DE85096AD0C,SHA256=81BA875909704274E3DA825A9EED4E5C6710A14D86E58B3305EC4CE5B42161D3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359484Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:38.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359483Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:38.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359482Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:38.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1D87-00000000AE01}1404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359481Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:38.585{896A638B-B5CA-6058-0C00-00000000AE01}824952C:\Windows\system32\svchost.exe{896A638B-AD64-605C-1B87-00000000AE01}7460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x80000000000000006359480Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:35.565{896A638B-B5DB-6058-2700-00000000AE01}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-792.attackrange.local51078-
354300x80000000000000006359479Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:34.772{896A638B-FDEB-6058-7912-00000000AE01}1496C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-792.attackrange.local1088-false10.0.1.12-8000-
23542300x80000000000000006359478Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:38.042{896A638B-FDF2-6058-8212-00000000AE01}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E233F9BD6BDF249F63883287834A5849,SHA256=9040BEF677C3244C6FD8208984D7A369C1D7B4158B424FE1D149B3849708DA55,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000860519Microsoft-Windows-Sysmon/Operationalwin-host-692.attackrange.local-2021-03-25 16:54:39.715{BFB545BB-B909-6058-D900-00000000AF01}4084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35FCC2A8C69001ECDF72608CED25AA68,SHA256=1590972DBB716845BF2155256FD1F9E975C513DCBADB4ECC9D8CA4C43E8E5233,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000006359521Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.831{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359520Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.831{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359519Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.813{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359518Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.813{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359517Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.813{896A638B-AD63-605C-1987-00000000AE01}78488096C:\Windows\explorer.exe{896A638B-B979-6058-2004-00000000AE01}6812C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359516Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.803{896A638B-B5CB-6058-1600-00000000AE01}13084668C:\Windows\System32\svchost.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359515Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.803{896A638B-B5CB-6058-1600-00000000AE01}13081328C:\Windows\System32\svchost.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359514Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.786{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b97c5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359513Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.785{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b96de|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359512Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.785{896A638B-AD63-605C-1987-00000000AE01}78485168C:\Windows\explorer.exe{896A638B-C04F-605C-9E89-00000000AE01}6196C:\Windows\System32\certutil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359511Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.784{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-C04F-605C-9F89-00000000AE01}7200C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000006359510Microsoft-Windows-Sysmon/Operationalwin-dc-792.attackrange.local-2021-03-25 16:54:39.783{896A638B-B8E1-6058-A802-00000000AE01}30922100C:\Windows\System32\taskhostw.exe{896A638B-C04F-605C-9F89-00000000AE01}7200C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x8000000000000000