23542300x8000000000000000319157Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:35.116{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8CB410E8E08D6B4B442E8C8F700F0D,SHA256=D5F90BBB28B2CDA2BFF5A79E51A3E29CFD3C61360190D5D9672790B9D99A33D5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319158Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:36.119{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169D2E51688FE2BD70BE1E5537CECE05,SHA256=09B52CA8E5B483C279AA914473F2F109D1FB0D5A3B3ABBEC48333BA65385B0E9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319159Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:37.177{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28473CCAC1E1FA15B07D8DB5F2932F41,SHA256=50B2F397E8122DAB9C1D27FA1BAAB69EE0A5FCC5676AA4CD08B158B08A469080,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319160Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:38.210{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F92ABEAD9631003C646CD1C65533526,SHA256=059A6E986AF82FF422EC8908461B1EC586FC1CA773FF9136D4F5B525925D79E6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319161Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:39.270{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0438D3C121BC65EA4B37999832EB7636,SHA256=1FE0AF2747413BC5A5F479257D3F3BD7930569AB9A9CAEC671DD534A212564CA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319163Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:40.270{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5CC750EED913E773FAC8DB556EAF27D,SHA256=B5D24AC45851A0E40595D3C699AEAA443CBCD4DBC73D038B7645D1BD59E9B662,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319162Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:39.270{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52783-false10.0.1.12-8000-
23542300x8000000000000000319165Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:41.645{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=01A7B4A4F51CCBC166796026704D0F5A,SHA256=D8BAA9EE378FF9512EB8056AAF41ED7C099C5803A8C2352E7B50768EC076E91D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319164Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:41.302{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC2E70EC9918F3C9BA8CE2FC5D4A590,SHA256=8BC0431B2C92D401C519FD1FB917654B83D6FA030ED312E554934C789A5965CC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319166Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:42.320{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D27140625B3D629522780590369C53,SHA256=5555BBBF402F8577E5FBF40DE35CF66FCF114655093495724C393BAD873A0C3C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319167Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:43.333{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107F9B46ED058742AA5E7B28C03EDBE8,SHA256=E515FFA142276C6FEC0DE7217B248C04B3A4BCEE6F6C280FEAB988C58F03002C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319168Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:44.348{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4844E5DA0966539F693E5EAE9E7A334C,SHA256=2DECF2EABD73D1E83D53644824EC26FBCFC7ECA4EE8D70642B18B5F6CF9A1F7D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319170Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:45.348{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B29CE9CBF4D7DF12246D7EF18302498,SHA256=249D7C90F821E6555D8C74C046F22DDADF6037608710989EBC053DD4F6948306,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319169Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:44.379{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52784-false10.0.1.12-8000-
23542300x8000000000000000319171Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:46.364{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96AFB005CB798093AC7FE380A1577C0E,SHA256=BC70309B9308A7369ADD2EDC7AD03C9008FEBBB6B98EBA54EF3E23BF6CE5D2AA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319172Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:47.380{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48E11B693B53437569889C9EC9FC0E5,SHA256=B5ECF983E9BAD0BF874005C917A36D3BBE26897F486F811A48005EC816CC2E73,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319173Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:48.395{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF0C5933815800E39886D7676A30E85,SHA256=86B2CC3BD5346DA0B19A7F2BF20F2EC8FE2AF57F22C607DA8FC862B578A5F80F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319174Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:49.442{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE85CEB77F1962AC8F69871B84293C52,SHA256=4E39E6CC0149C196F25533A92C0112F249B98A460555D4B1A99E8476DC5CF738,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319175Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:50.473{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193F42C5DF83A9FB78BE059217B5ACBE,SHA256=88B896EECAFE29A21AF89DFDECE489047B61E2E4067D0E725F465AB52EFFC1B5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319177Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:51.504{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919BCDB10D56C7EA3A3380460A9C6EB7,SHA256=9C88B7CD3E14757CB63CC21C9A61C14487BA32C7DDAD646813FFF32DBB8E9CF8,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319176Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:50.255{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52785-false10.0.1.12-8000-
23542300x8000000000000000319178Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:52.536{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3879F3E88AA0C1765026FA684C51A1,SHA256=A9D4ED03F3FA7FEE70FB74022E3D8C41C3C4CB700FE9756C9A6A77793A487635,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319179Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:53.551{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F4819F332E833CDFF712E6CDA7473A,SHA256=54A9D724AE6DD38D4A89D439125609952353035CD4F759C63AFAE9AE5DD76AC5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319180Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:54.551{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A188A0DB168871C8368958043614B68C,SHA256=6606495338DF96808BDD84B6F75588A78D4D7B3CF32C3AAC7576ADAAA3CFED6B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319181Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:55.551{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BA87074B518024E3AA632AF1F2B400,SHA256=0F497F78B5E6A31481CEE357C77AD43FCCC1D37BEB4EE8ABA1F7CCB2787A6CF1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319183Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:56.551{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370D33197C71756792C181A637ED0AAA,SHA256=E42E9D07EC111D0CC1B24BC4F61FD34790F2885FE39E4469369ECA15989FF004,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319182Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:55.348{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52786-false10.0.1.12-8000-
23542300x8000000000000000319184Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:57.567{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A06D105206816AC4AB4187692D864D,SHA256=1133B86DB959B6CBE5577061B9385EED80C5A01A0E592ABBE2D9FBF721F1C745,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319185Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:58.598{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA40E346754D9C60CCE1CB5CA9BEFDE,SHA256=D1B2F233A7DE8A5395F5F52CC3C9F91D7907A25DD8D5877FCB9C49A56E0FA1EC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319189Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:59.598{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CE8CEEBB2983CC31510278550CC631,SHA256=3DFADE9A94FE0B24CE53E4CA05536701191581FCFAA9DE2099407B1E68545A58,IMPHASH=00000000000000000000000000000000falsetrue
13241300x8000000000000000319188Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:48:59.301{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\0C308890-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_0C308890-0000-0000-0000-100000000000.XML
13241300x8000000000000000319187Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:48:59.301{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\507F12B8-B6C3-4DDA-9A72-7DBC3B0C5E1C\Config SourceDWORD (0x00000001)
13241300x8000000000000000319186Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:48:59.301{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\507F12B8-B6C3-4DDA-9A72-7DBC3B0C5E1C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_507F12B8-B6C3-4DDA-9A72-7DBC3B0C5E1C.XML
23542300x8000000000000000319192Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.645{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642C09217EA1F39B313875E0D43B1EC4,SHA256=A7FA3957BF40AB8D777EA87A8EFE4AB58594CCEC9BFBAA8B760D420A9B39BFE0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319191Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.323{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A565AD2A455CEA1CA7ABC35262BB8E06,SHA256=594395BB30AB82150234B7457D420A9B519D1ED8FD2B1955A54D20C6AA52E96A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319190Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.323{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D4115DB49D651D0F0A071D739F2E31E,SHA256=873B73B68847B82F621AA7B9005D508AA9B5A934CB11DE36BF751394CDEE95E8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319201Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:01.918{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319200Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:01.692{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1227FD8293882298BECAD5AAAEE41D1,SHA256=36D849A939884086234D0C03CAA8DB6BECCDB89521DFCBF6E12F174C3368A0C6,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319199Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.510{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52790-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap
354300x8000000000000000319198Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.510{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52790-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap
354300x8000000000000000319197Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.504{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52789-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap
354300x8000000000000000319196Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.504{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52789-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap
354300x8000000000000000319195Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.490{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52788-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local135epmap
354300x8000000000000000319194Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.490{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52788-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local135epmap
354300x8000000000000000319193Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.426{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52787-false10.0.1.12-8000-
23542300x8000000000000000319202Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:02.692{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3D87AE52AA4FE40A936FB830B0B52E,SHA256=84B4CF198DEE780742E662F5E919FD23210EBD828ABC4C0BD6EBB1CB88F648BD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319204Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:03.709{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA0DFA2B2885D1947D2755DC98A2CD0,SHA256=EAF7550A1D2101338C0FDB4E9E8DFD883FE4D80B36A266379C07D566B56DF51B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319203Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:03.099{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52791-false10.0.1.12-8089-
23542300x8000000000000000319205Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:04.722{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B44ACF0E010FDC1B5C37AA958DB6E70,SHA256=87C2C6F1243DD6F8C42015A3910A42FDDD4A4DD627C4A0446BAD8FB3082D82EC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319206Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:05.785{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8C35E960A33A870459807A551AA9E3,SHA256=094970030661C3D65053390C12199129EFA8BDE99320BD23235A7EB88747AA5B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319209Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:06.801{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31A2A6BCA1B9FD6D20C7BE87C2E39DC,SHA256=BDE764AB0A49F42B51B7C656049FEA474885AC943C5CB4E57FDE5E5E691AC44C,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319208Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:06.270{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52792-false10.0.1.12-8000-
23542300x8000000000000000319207Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:06.582{6A74A0F8-743F-6025-3302-00000000A301}3548ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319216Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:07.821{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920B54B2B40737180D68D6E064BA02E2,SHA256=580C369B9A03B043C5D20317939EFA420D8295AF5D481C1AB60B69D2693E0A2D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319215Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:07.176{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319214Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:07.176{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319213Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:07.176{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319212Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:07.176{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319211Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:07.176{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319210Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:07.176{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000319217Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:08.832{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861300A283306190EB671E747429AA3A,SHA256=1B5B37EEF0EE3BA8B7D91D17DCADB26A93FDC1A26FC6D9E1C5F1FC80410614E9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319218Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:09.863{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDDD278F0F405117BF18EB00E129FF40,SHA256=5B585C147BAB03C0E5B2F9C51A2E37B8AC92E09EFEA41B44F7713D2C8DD1C40F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319219Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:10.879{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E0D7FE6C98AB15C489FD5E9282D4C0,SHA256=D9C5031318B232929978E101686ADDD130EE32548FE9C293553C1CED6DDF04F6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319231Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.895{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F06F744C39BE8CB1F3762F753CC70B0,SHA256=1E704567B8FD2277B39393B6D5EC78EBBD155C94BB37D9098DE7A39D7A09CF73,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319230Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.738{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=083F7E15AF28D99A7AD1B66933F1C811,SHA256=1D57B680326F2326949D8165AFFA03ACA16B091AE3215DABDB92E33602CEDF01,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319229Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.738{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A565AD2A455CEA1CA7ABC35262BB8E06,SHA256=594395BB30AB82150234B7457D420A9B519D1ED8FD2B1955A54D20C6AA52E96A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319228Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.332{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52793-false10.0.1.12-8000-
10341000x8000000000000000319227Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.504{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDA7-6026-5E2F-00000000A301}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319226Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.504{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319225Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.504{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319224Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.504{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319223Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.504{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319222Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.504{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CDA7-6026-5E2F-00000000A301}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319221Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.504{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDA7-6026-5E2F-00000000A301}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319220Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.505{6A74A0F8-CDA7-6026-5E2F-00000000A301}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000319234Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:12.913{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F746F01C73B92AC21440F5A047BE85F,SHA256=A56A6D63DA390AC9AB07783636EE6770EB3674D873CBCA7ABABA54A6E453836A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319233Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.895{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52794-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap
354300x8000000000000000319232Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.895{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52794-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap
23542300x8000000000000000319235Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:13.922{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF212A8BADC98DFFCED537CE31613CCF,SHA256=08B87B9098FB42C8077CE5F0105EF7A7CB0D28B6FE217D0973636FF059039C95,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319245Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.973{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A4B6E8240F851CCB7E3DE608CC2808,SHA256=048D5CFECBB54AB5BDC4B65870F08FB90B712D7D36722EA2501F8F2583925DB5,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319244Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.488{6A74A0F8-CDAA-6026-5F2F-00000000A301}2082172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319243Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.332{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDAA-6026-5F2F-00000000A301}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319242Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319241Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319240Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319239Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319238Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.332{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CDAA-6026-5F2F-00000000A301}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319237Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.332{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDAA-6026-5F2F-00000000A301}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319236Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.333{6A74A0F8-CDAA-6026-5F2F-00000000A301}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000319264Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.988{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB1DBE71F3B49F9C1D314C2C22A3104,SHA256=FD342B2D5085F84DEE9CD39A7F497DCDA81584001C17B0C7A28E644DA25A8066,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319263Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.848{6A74A0F8-CDAB-6026-612F-00000000A301}31767248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319262Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.676{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDAB-6026-612F-00000000A301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319261Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.676{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319260Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.676{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319259Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.676{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319258Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.676{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319257Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.676{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CDAB-6026-612F-00000000A301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319256Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.676{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDAB-6026-612F-00000000A301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319255Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.677{6A74A0F8-CDAB-6026-612F-00000000A301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000319254Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.176{6A74A0F8-CDAB-6026-602F-00000000A301}74003968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319253Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.004{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDAB-6026-602F-00000000A301}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319252Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.004{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319251Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.004{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319250Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.004{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319249Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.004{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319248Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.004{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CDAB-6026-602F-00000000A301}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319247Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.004{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDAB-6026-602F-00000000A301}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319246Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.005{6A74A0F8-CDAB-6026-602F-00000000A301}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000319282Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.957{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDAC-6026-632F-00000000A301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319281Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.957{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319280Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.957{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319279Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.957{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319278Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.957{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319277Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.957{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CDAC-6026-632F-00000000A301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319276Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.957{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDAC-6026-632F-00000000A301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319275Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.958{6A74A0F8-CDAC-6026-632F-00000000A301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000319274Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.410{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52795-false10.0.1.12-8000-
10341000x8000000000000000319273Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.441{6A74A0F8-CDAC-6026-622F-00000000A301}56125300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319272Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.285{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDAC-6026-622F-00000000A301}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319271Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.285{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319270Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.285{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319269Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.285{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319268Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.285{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319267Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.285{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CDAC-6026-622F-00000000A301}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319266Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.285{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDAC-6026-622F-00000000A301}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319265Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.287{6A74A0F8-CDAC-6026-622F-00000000A301}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000319291Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.457{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDAD-6026-642F-00000000A301}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319290Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.457{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319289Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.457{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319288Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.457{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319287Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.457{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319286Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.457{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CDAD-6026-642F-00000000A301}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319285Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.457{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDAD-6026-642F-00000000A301}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319284Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.459{6A74A0F8-CDAD-6026-642F-00000000A301}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000319283Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.004{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31399BD6973003344B426564B709E81F,SHA256=E3DDFCB11888904C5853A9433B7F912BA2EE4D033CA6E96292A4DD14A2EE8D3E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319292Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:18.022{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC00500CD346835F35D0FF428AF42039,SHA256=7662A1078EBAA2755900FDADF629C0E2306DCA1C221268C3091973C683117203,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319321Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.551{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319320Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.551{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319319Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.551{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319318Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.317{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319317Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.301{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFD873757E3)
10341000x8000000000000000319316Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.301{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319315Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.301{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319314Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.301{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319313Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.301{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319312Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.301{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319311Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.301{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2378a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c235fe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ca5e2a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c1c1e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d53d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c514b8(wow64)
154100x8000000000000000319310Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.303{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
10341000x8000000000000000319309Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.209{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDAF-6026-662F-00000000A301}4048C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319308Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.207{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319307Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.207{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319306Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.191{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319305Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.191{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319304Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.191{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CDAF-6026-662F-00000000A301}4048C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319303Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.191{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDAF-6026-662F-00000000A301}4048C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c97832ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c243f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)
154100x8000000000000000319302Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.201{6A74A0F8-CDAF-6026-662F-00000000A301}4048C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\Downloads\Alby_0.7.0\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
10341000x8000000000000000319301Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.176{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDAF-6026-652F-00000000A301}4172C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319300Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.176{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319299Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.176{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319298Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.176{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319297Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.176{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319296Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.176{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CDAF-6026-652F-00000000A301}4172C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319295Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.176{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDAF-6026-652F-00000000A301}4172C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c97832ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c243f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)
154100x8000000000000000319294Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.182{6A74A0F8-CDAF-6026-652F-00000000A301}4172C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\Downloads\Alby_0.7.0\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
23542300x8000000000000000319293Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.098{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2388D461B958AB59C9D169D4A9B37F,SHA256=6F5247BAB17092BFBBA5DA6D1DD540B44C3FABC6A0A187986CC6BB74C5FB47B2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319343Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.932{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319342Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319341Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFD873757E3)
10341000x8000000000000000319340Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319339Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319338Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319337Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319336Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319335Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2378a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c235fe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ca5e2a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c1c1e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d53d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c514b8(wow64)
154100x8000000000000000319334Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
23542300x8000000000000000319333Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.827{6A74A0F8-CDAF-6026-672F-00000000A301}6288ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319332Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.734{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319331Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.734{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319330Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.675{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319329Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.675{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
17141700x8000000000000000319328Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-CreatePipe2021-02-12 18:49:20.591{6A74A0F8-CDAF-6026-672F-00000000A301}6288\PSHost.132576293593034149.6288.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
23542300x8000000000000000319327Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.574{6A74A0F8-CDAF-6026-672F-00000000A301}6288ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_4pvicgh4.n15.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319326Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.573{6A74A0F8-CDAF-6026-672F-00000000A301}6288ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_l5ndysud.aka.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319325Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.344{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=07F7E1A9849D6DCB5886891F2F78C097,SHA256=BBBCCE663678CC03AAE625A9DF44E349BBDF724064E0A889F1B9D039F94AAD0D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319324Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.343{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD3C433506DAFB92A7CEBA8D2AC3FDD,SHA256=E438FB641855FBD11664723FCAD5A6C7F6EFDBA4F025C9C678FBE22BA8C6B7D9,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000319323Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.301{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_l5ndysud.aka.ps12021-02-12 18:49:20.301
10341000x8000000000000000319322Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.188{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000319354Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.457{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=55B72F7D48E8D9673C5E2BF9F5652908,SHA256=B8DAC096683E6089D6D764D4B1D989508593F8E2CEBB4786BC61CA4323117487,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319353Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.457{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40E01332EA226C1B70BD54CA7002E1D,SHA256=859BC7051E49670E48D76CCF85794D8033E7435E4054442CCE9757DDFB8D63AD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319352Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.301{6A74A0F8-CDB0-6026-682F-00000000A301}8100ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319351Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.233{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319350Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.233{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319349Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.191{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319348Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.191{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
17141700x8000000000000000319347Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-CreatePipe2021-02-12 18:49:21.176{6A74A0F8-CDB0-6026-682F-00000000A301}8100\PSHost.132576293608798144.8100.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
23542300x8000000000000000319346Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.160{6A74A0F8-CDB0-6026-682F-00000000A301}8100ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_bdyisypx.3sl.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319345Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.144{6A74A0F8-CDB0-6026-682F-00000000A301}8100ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_x0vy5zne.jcf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000319344Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.144{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_x0vy5zne.jcf.ps12021-02-12 18:49:21.144
354300x8000000000000000319357Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:22.238{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52796-false10.0.1.12-8000-
23542300x8000000000000000319356Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:22.316{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=62D0934DFD265B175218B0F8A5A9A407,SHA256=A32C00C6B4588362804019F1F167B4234579853D6BB21201611904F0D41D62D1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319355Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:22.269{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4364D09622F3AD821CFE1C51D5F7C07C,SHA256=7AFBE1E06C39A61E6DAAFC322B1379A5E29DE4608DB3BD450166FAC13177DE9C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319358Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:23.301{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2277A279211C180DE3DA955D86BBB1DC,SHA256=2D6D133C4952B0A67E2CAF72F7091DE22A408F96ACE59D8FB97CFACB49ED32B0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319359Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:24.316{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22947B8891A06AB1E51C4127A59F78AE,SHA256=FE2D5E8CD8DD183C98F45EEC2ECDAB3662432FFC77722E2FD9B69B7410C31B8B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319360Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:25.363{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4568C55D70682EB0F48944043973C504,SHA256=BB55BA229821A35B8D5114ADD263B77845D3B65636B4418213FCAC244F23A34F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319361Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:26.379{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8BBBB7E5270B8332E872B5EF7970EA,SHA256=3AA156FD9226F917211CDB72FE257EE00D45E04E4D410480E8F97CFE91AE6D1C,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319363Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:27.301{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52797-false10.0.1.12-8000-
23542300x8000000000000000319362Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:27.394{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9ED1DAB021643B761C6A9D1052C109,SHA256=298504F0B3E9DBF43866C1D6C13407F546A82981A42338D54F18C1195E174E38,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319364Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:28.410{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A50FA634866812BE65C6D6E0EF58BDB,SHA256=DB329991A720298FD9904628C5FF8FF5E3796E299994774AF731C16B122E5F63,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319365Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:29.428{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAECDDC9E37EC9088674B7EC05154DEE,SHA256=04BE3BA2D8F065F9E0858CB4CB4FD5E216154D653EFC7878201828266003A5E1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319366Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:30.457{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC1734726328A7AA6B9AF2E6618E025,SHA256=F6158EE8CD50953136934F269C3E113418FBADC92265ED8A627B656B3C2FEF0C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319367Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:31.457{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9B2A46FB09D55DE65BBDE915A7E7A8,SHA256=6FE154185FFDDB4AFB78341DEF9B963D88E2E210313B956D28850DF83135D942,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319368Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:32.488{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C15CAA075C55247DAC8BA1B4EB8010,SHA256=E976208B356E1D8F5F61CC171E371C480BB48C49FD492594414D5F54B80408C0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319370Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:33.522{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D0BB4E18F39608BC5F70D90CA2BF9D,SHA256=5CDF9F5B7C7E969FEFA28578F031F483EDCCFC1D36B012AB7FC317867B468DDA,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319369Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:32.395{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52798-false10.0.1.12-8000-
23542300x8000000000000000319371Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:34.582{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE5F375D7D4C8B6F79B9BF1DC3BA3E7,SHA256=218D11F55F7B8CF93066D365F176AA6A286FD911E2E324C18FF62E432E7BDFEA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319372Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:35.613{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D21C7DD7C9DEFF27EC5E7907BDC73D3,SHA256=A39EC7752FABC0AEF1C12B963FF334A6ED39085ED1D11621E6AEA432B9F8DE9B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319373Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:36.613{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC17D428842C8E8824EF083DED4B4953,SHA256=6C112120DA89D4002A8715906C145E54401E2022CE800FB9F7F8DBC5459CDA4D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319374Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:37.631{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7894267C6537993DBAE9E8FDA9EC747F,SHA256=B6E84AD760A72547471343B07285043425BCE7B308483FD94D08D5B8D9A98437,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319376Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:38.644{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE0143C426DAC79D744E3577F3857EF,SHA256=8B6F0E7A3535E89750811ED68115EAE538C020417848CBE742495531016CCCB8,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319375Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:37.410{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52799-false10.0.1.12-8000-
23542300x8000000000000000319377Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:39.644{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC9539DEE4F0D450A49DE06BAAC5CB5,SHA256=6F196446E580F0B4C5197B7FB7C58CA9ECC41C9A0CF7B9F73A010F47BC373D79,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319378Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:40.675{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685B489083DFFB00F7E7ED493B30ECC3,SHA256=73E6BC947B5F917BEE0458056546A08481072CFA418AC86145C553B2CE1BC01D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319380Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:41.706{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD67D7A81501A0D7496C2D26CE9B6FF6,SHA256=BE2BA733922458788A1D89BABF3A56F848D6B6B902BF05C5831B04D917C7D850,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319379Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:41.659{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1871345E6C5C80EF5BAD17C267AF8BC2,SHA256=B4FC0A940420DF09ECB9430937535DED8F3158030149A0DEDC9068D3B02DFD60,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319381Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:42.725{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAB94ED5F85184D364534015B21DF60,SHA256=9D55821A24309224C15EADA5FA38847FB7F506CADDE05651401C995D5E2A1D27,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319383Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:43.753{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1EC26BC5C261C0624FBE02BBDE0D61,SHA256=EB54151C5846EE65455E6190454665BFAFBD17167423B7AB723EE03E57A84C2C,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319382Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:43.254{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52800-false10.0.1.12-8000-
10341000x8000000000000000319453Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319452Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFD873757E3)
10341000x8000000000000000319451Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319450Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319449Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319448Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319447Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319446Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2378a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c235fe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ca5e2a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c1c1e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d53d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c514b8(wow64)
154100x8000000000000000319445Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.985{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:\""$Env:TEMP\T1218.009.dll\"" /target:library /keyfile:$env:Temp\key.snk C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe $Env:TEMP\T1218.009.dll} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
11241100x8000000000000000319444Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.972{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-02-12 18:49:44.532
11241100x8000000000000000319443Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.972{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-02-12 18:49:44.532
23542300x8000000000000000319442Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.932{6A74A0F8-870E-6025-FA07-00000000A301}6688ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=19B096BE5F8C30B88A9194301487C102,SHA256=D49444868C47E716026915E5A9466F030E714EEC821249BE2BAAA2E8816FCFB7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319441Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.863{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDC8-6026-6E2F-00000000A301}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319440Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.863{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDC8-6026-6E2F-00000000A301}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319439Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.753{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC8-6026-6E2F-00000000A301}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319438Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319437Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319436Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319435Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319434Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDC8-6026-6E2F-00000000A301}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319433Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-CDC8-6026-6B2F-00000000A301}65807572C:\Windows\system32\cmd.exe{6A74A0F8-CDC8-6026-6E2F-00000000A301}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319432Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.750{6A74A0F8-CDC8-6026-6E2F-00000000A301}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Assembly Registration UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.009.dll C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=F9962526636C4082079C16F5CBD18A21,SHA256=193D0E779528278A422C64E94D9D8AC623FCB1323038D33D2B820EAD608EF515,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-CDC8-6026-6B2F-00000000A301}6580C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"%tmp%\T1218.009.dll" /target:library C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs & C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U %tmp%\T1218.009.dll"
23542300x8000000000000000319431Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\CSCD3939E369B96433FBEC249AF5DEA228B.TMPMD5=18B162FAA3AC0C16DAE1DDC84B984748,SHA256=966C815F2DFE53592BE12696F6C7061AA9340EF4A8285360427617ADDB65D29A,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000319430Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localDLL2021-02-12 18:49:44.732{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.009.dll2021-02-12 16:43:37.946
23542300x8000000000000000319429Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.009.dllMD5=09362B7F7B76CAD6ACC007ED97488DDC,SHA256=AA3F5A6BE4D7FDA0E892BEC5CE4CFF6D62CE23DF258D16A12EDBBAEAC7599BCC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalsetrue
23542300x8000000000000000319428Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES9427.tmpMD5=7A5AD81042F1254D2E7CBE1FA30CA4E3,SHA256=9E4DA5F38A2C7ECA6AFE9749202D64FEAF7618C60856A9058E385B7F588EBE88,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319427Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-CDC8-6026-6D2F-00000000A301}7592ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES9427.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319426Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.727{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC8-6026-6D2F-00000000A301}7592C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319425Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.722{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319424Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.706{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319423Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.706{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319422Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.706{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319421Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.706{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDC8-6026-6D2F-00000000A301}7592C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319420Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.706{6A74A0F8-CDC8-6026-6C2F-00000000A301}77127188C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe{6A74A0F8-CDC8-6026-6D2F-00000000A301}7592C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+11aa1(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+bcc5(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+be25(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+beb8(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+ab93(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+accc(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+a078(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+b380e|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+9fe23|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+74c1c|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+62696
154100x8000000000000000319419Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.721{6A74A0F8-CDC8-6026-6D2F-00000000A301}7592C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\2\RES9427.tmp" "c:\Users\Administrator\AppData\Local\Temp\2\CSCD3939E369B96433FBEC249AF5DEA228B.TMP"C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=C09985AE74F0882F208D75DE27770DFA,SHA256=E24570ABD130832732D0DD3EC4EFB6E3E1835064513C8B8A2B1AE0D530B04534,IMPHASH=49D51E5A9546CAB5B1356F947A3B973C{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.009.dll" /target:library C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs
10341000x8000000000000000319418Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.550{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319417Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.550{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319416Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.550{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319415Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.550{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319414Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319413Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319412Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-CDC8-6026-6B2F-00000000A301}65807572C:\Windows\system32\cmd.exe{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319411Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.549{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.009.dll" /target:library C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=EB70BF071EC54BF0C29408FFDB89E3BB,SHA256=3CAAD75ADEC05EC7D8568DA01300D06EAC7189BF1C9E42B169BA539A5D469E1C,IMPHASH=30324BFA092EB7BAA283AE5E9D2911B0{6A74A0F8-CDC8-6026-6B2F-00000000A301}6580C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"%tmp%\T1218.009.dll" /target:library C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs & C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U %tmp%\T1218.009.dll"
10341000x8000000000000000319410Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC8-6026-6B2F-00000000A301}6580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319409Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC8-6026-6B2F-00000000A301}6580C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFD873757E3)
10341000x8000000000000000319408Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319407Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319406Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319405Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319404Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CDC8-6026-6B2F-00000000A301}6580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319403Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC8-6026-6B2F-00000000A301}6580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2378a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c235fe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ca5e2a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c1c1e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d53d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c514b8(wow64)
154100x8000000000000000319402Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.535{6A74A0F8-CDC8-6026-6B2F-00000000A301}6580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"%%tmp%%\T1218.009.dll" /target:library C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs & C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U %%tmp%%\T1218.009.dll" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
11241100x8000000000000000319401Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-02-12 18:49:44.532
11241100x8000000000000000319400Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-02-12 18:49:44.532
10341000x8000000000000000319399Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.432{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC8-6026-6A2F-00000000A301}4964C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319398Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319397Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319396Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319395Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319394Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.432{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDC8-6026-6A2F-00000000A301}4964C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319393Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.432{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC8-6026-6A2F-00000000A301}4964C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c97832ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c243f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)
154100x8000000000000000319392Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.433{6A74A0F8-CDC8-6026-6A2F-00000000A301}4964C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\Downloads\Alby_0.7.0\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
10341000x8000000000000000319391Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.409{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC8-6026-692F-00000000A301}7732C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319390Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319389Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319388Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319387Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319386Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.409{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CDC8-6026-692F-00000000A301}7732C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319385Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.409{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC8-6026-692F-00000000A301}7732C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c97832ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c243f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)
154100x8000000000000000319384Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.415{6A74A0F8-CDC8-6026-692F-00000000A301}7732C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\Downloads\Alby_0.7.0\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
23542300x8000000000000000319501Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.909{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBA41C27D9B3ACDC02979D1A899543F,SHA256=3F39F65DF7AD5A2DCE9E5733FC00B1FFDE9D4B25CC3C6909B0062A18892C9BA4,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319500Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.722{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319499Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.722{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319498Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.691{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000319497Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.522{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8A57CEC3B5E1E556E39FF0D4B874442A,SHA256=D503A462DE69364798C3695473A8F7B7AC23736FB74B1796CCE7BEB0CA10A61C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319496Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.520{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1695110E50D2AC795FC356D98F61E7,SHA256=6FC28F0E31B0365EA42FF3254CA2DE73978AB6F78D3297E65C3EA473EA71A5FE,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319495Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.456{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319494Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319493Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319492Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319491Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319490Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319489Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-CDC8-6026-6F2F-00000000A301}19287404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|UNKNOWN(00007FFDC9B9331B)|UNKNOWN(00007FFDC90341A5)|UNKNOWN(00007FFDC9033E76)|UNKNOWN(00007FFDC9AE54DB)|UNKNOWN(00007FFDC8FF4A0C)|UNKNOWN(00007FFDC9052EDB)|UNKNOWN(00007FFDC9036540)|UNKNOWN(00007FFDC9036540)|UNKNOWN(00007FFDC90363D1)|UNKNOWN(00007FFDC9028356)|UNKNOWN(00007FFDC9034889)|UNKNOWN(00007FFDC9034425)|UNKNOWN(00007FFDC90341A5)|UNKNOWN(00007FFDC9033E76)|UNKNOWN(00007FFDC9AE54DB)|UNKNOWN(00007FFDC8FF4A0C)|UNKNOWN(00007FFDC9052EDB)
154100x8000000000000000319488Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.453{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.009.dllC:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:\""$Env:TEMP\T1218.009.dll\"" /target:library /keyfile:$env:Temp\key.snk C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe $Env:TEMP\T1218.009.dll}
23542300x8000000000000000319487Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-CDC9-6026-702F-00000000A301}5160ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\CSCA6F4CC9EE1164B8292B71A0F1BE6C3E.TMPMD5=18B162FAA3AC0C16DAE1DDC84B984748,SHA256=966C815F2DFE53592BE12696F6C7061AA9340EF4A8285360427617ADDB65D29A,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000319486Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localDLL2021-02-12 18:49:45.432{6A74A0F8-CDC9-6026-702F-00000000A301}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.009.dll2021-02-12 16:43:37.946
23542300x8000000000000000319485Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-CDC9-6026-702F-00000000A301}5160ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.009.dllMD5=AFC8DD830E3D9E8F4B03DD3E150158D8,SHA256=E2B98B2704E546BBF4025960272B49FA066DB1E8B98CD3F7841C91746C856CEB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalsetrue
23542300x8000000000000000319484Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-CDC9-6026-702F-00000000A301}5160ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES96E7.tmpMD5=A770582062E7FB438A4732E5145A433A,SHA256=2747301DFA4D7D8657657363E724ADD04F140EF88402CF9DFEA16F816732008D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319483Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-CDC9-6026-712F-00000000A301}728ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES96E7.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319482Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC9-6026-712F-00000000A301}728C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319481Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319480Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319479Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319478Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CDC9-6026-712F-00000000A301}728C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319477Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319476Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-CDC9-6026-702F-00000000A301}51605664C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe{6A74A0F8-CDC9-6026-712F-00000000A301}728C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+11aa1(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+bcc5(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+be25(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+beb8(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+ab93(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+accc(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+a078(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+b380e|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+9fe23|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+74c1c|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+62696
154100x8000000000000000319475Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.419{6A74A0F8-CDC9-6026-712F-00000000A301}728C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\2\RES96E7.tmp" "c:\Users\Administrator\AppData\Local\Temp\2\CSCA6F4CC9EE1164B8292B71A0F1BE6C3E.TMP"C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=C09985AE74F0882F208D75DE27770DFA,SHA256=E24570ABD130832732D0DD3EC4EFB6E3E1835064513C8B8A2B1AE0D530B04534,IMPHASH=49D51E5A9546CAB5B1356F947A3B973C{6A74A0F8-CDC9-6026-702F-00000000A301}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /r:System.EnterpriseServices.dll /out:C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.009.dll /target:library /keyfile:C:\Users\ADMINI~1\AppData\Local\Temp\2\key.snk C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs
23542300x8000000000000000319474Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-CDC9-6026-702F-00000000A301}5160ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\1bc0d29c9a68245c8561752e0ca02144_6a74a0f8-7ee7-421e-9cdd-93fa9c2794c8MD5=534D78034B774B6266F2189576F8C6E3,SHA256=62B14867E4E79D50673D2F7474335229F54C478F56D2A910235E1953C6D29206,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00
23542300x8000000000000000319473Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-CDC9-6026-702F-00000000A301}5160ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\1bc0d29c9a68245c8561752e0ca02144_6a74a0f8-7ee7-421e-9cdd-93fa9c2794c8MD5=7FCD96E4A6177867EFBA2B580421472A,SHA256=3C403CF936E40276A2D28002BD4B5D7EC3F67D49459A160292A9F00B8BAEE6DE,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319472Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.253{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC9-6026-702F-00000000A301}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319471Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.232{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319470Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.232{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319469Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.232{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319468Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.232{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319467Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.232{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CDC9-6026-702F-00000000A301}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319466Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.232{6A74A0F8-CDC8-6026-6F2F-00000000A301}19287404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC9-6026-702F-00000000A301}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|UNKNOWN(00007FFDC9B9331B)|UNKNOWN(00007FFDC90341A5)|UNKNOWN(00007FFDC9033E76)|UNKNOWN(00007FFDC9AE54DB)|UNKNOWN(00007FFDC8FF4A0C)|UNKNOWN(00007FFDC9052EDB)|UNKNOWN(00007FFDC9036540)|UNKNOWN(00007FFDC9036540)|UNKNOWN(00007FFDC90363D1)|UNKNOWN(00007FFDC9028356)|UNKNOWN(00007FFDC9034889)|UNKNOWN(00007FFDC9034425)|UNKNOWN(00007FFDC90341A5)|UNKNOWN(00007FFDC9033E76)|UNKNOWN(00007FFDC9AE54DB)|UNKNOWN(00007FFDC8FF4A0C)|UNKNOWN(00007FFDC9052EDB)
154100x8000000000000000319465Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.248{6A74A0F8-CDC9-6026-702F-00000000A301}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /r:System.EnterpriseServices.dll /out:C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.009.dll /target:library /keyfile:C:\Users\ADMINI~1\AppData\Local\Temp\2\key.snk C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.csC:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=EB70BF071EC54BF0C29408FFDB89E3BB,SHA256=3CAAD75ADEC05EC7D8568DA01300D06EAC7189BF1C9E42B169BA539A5D469E1C,IMPHASH=30324BFA092EB7BAA283AE5E9D2911B0{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:\""$Env:TEMP\T1218.009.dll\"" /target:library /keyfile:$env:Temp\key.snk C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe $Env:TEMP\T1218.009.dll}
10341000x8000000000000000319464Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.175{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319463Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.175{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000319462Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.159{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B0A41853F46B68526BA08F436A2796,SHA256=D751C24CA941ABA9F8DD9EF2EAA05A902BCC3245BDA20B80978BF9135BF63C14,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319461Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.159{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083A04955B1436CEC044FE9ECB1D325B,SHA256=D7083BBAFEABDF22E67F8C40BAFA52E01FB6DECF1D446875FAECAA1F155D1791,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319460Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.132{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319459Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.132{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
17141700x8000000000000000319458Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-CreatePipe2021-02-12 18:49:45.113{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928\PSHost.132576293849856556.1928.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
23542300x8000000000000000319457Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.097{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_m0pokzfv.0eb.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319456Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.097{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_xpxpmzco.kmw.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000319455Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.081{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_xpxpmzco.kmw.ps12021-02-12 18:49:45.081
10341000x8000000000000000319454Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.066{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000319509Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.987{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA6D7A185F564A68BB7400B237672E3,SHA256=D3B9C327AADAF1516F142E0464EF7FE5B32A6EB810835CF2AC0E9B59FC7649E2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319508Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.847{6A74A0F8-CDC9-6026-722F-00000000A301}8040ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.009.tlbMD5=9C845A7202BF97B735F10F6AE2FF0FBB,SHA256=0DB8817A472B5B7C02D0A339621571D86D214B7406F1AB2A8C0DED40D9F679BB,IMPHASH=00000000000000000000000000000000falsetrue
13241300x8000000000000000319507Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localT1122SetValue2021-02-12 18:49:46.832{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeHKCR\WOW6432Node\CLSID\{1F58AE05-0945-3625-8538-9E0CB19B3EC5}\InprocServer32\(Default)mscoree.dll
10341000x8000000000000000319506Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.816{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e
10341000x8000000000000000319505Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.816{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e
10341000x8000000000000000319504Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.800{6A74A0F8-B03D-6026-B92B-00000000A301}41083380C:\Windows\system32\dllhost.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\COMSVCS.DLL+15400|C:\Windows\system32\COMSVCS.DLL+8c3e|C:\Windows\system32\COMSVCS.DLL+6b650|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a
23542300x8000000000000000319503Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.784{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C2CA768E847C4D155F522C592E7CECE1,SHA256=7D70A46599D12D7753D42ACFABD9B13E2F8B8BFEB5B86E4FA5FD142A225D45EF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319502Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.784{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=753294C565D18BB6F178CCDE94935B6F,SHA256=44186356CBF50ED3377A61D95E3E8F13E52B5EF2BBC0B4038C464FC0560BD542,IMPHASH=00000000000000000000000000000000falsetrue
22542200x8000000000000000319512Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.919{6A74A0F8-CDC9-6026-722F-00000000A301}8040WIN-DC-444010.0.1.14;C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
23542300x8000000000000000319511Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:47.097{6A74A0F8-870E-6025-FA07-00000000A301}6688ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=7F72DD2E749A1799575D9830E30ED7E6,SHA256=6A9CA60EFF61453B7DEF5559DE7F0497638EEA137B1ABA99063B586E134F9EDC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319510Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:47.032{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319517Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:48.316{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52801-false10.0.1.12-8000-
23542300x8000000000000000319516Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:48.050{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=47DBB77D3309ED3966F8CA54DE2B6C6A,SHA256=9826C213ECFDBD5E5E93D627366DABA5CF45A792068203982A69C443A4F30C05,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319515Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:48.032{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F849B2F22C82BFD6C40840CC9605012,SHA256=704CAF0B2951446214EF0AA16A28094622F1C4C31105E18A90C4314CAA232B9E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319514Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:48.031{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=083F7E15AF28D99A7AD1B66933F1C811,SHA256=1D57B680326F2326949D8165AFFA03ACA16B091AE3215DABDB92E33602CEDF01,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319513Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:48.022{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7235CE4ECF68E8EBFCF8FAB61A1DCA,SHA256=9E0581FA08DE50926E78D8C6D1597DE215E72B412E084E0701A8F2DF6CAACA01,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319524Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:49.394{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319523Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:49.394{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319522Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:49.378{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319521Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:49.378{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319520Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:49.378{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319519Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:49.378{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000319518Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:49.081{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285DC8D8453A57524DB271109CA5C902,SHA256=9EC05BFEB2472CCF74720701E4542F0EBD872C0509A73BF09AA88BC5D981687E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319525Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:50.097{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A81F8C472AB57994ADC0C4D650B52E,SHA256=40CB69721F33ECB434C916F89F4AF3724AFF58E011CA0E3977883712424B3433,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319526Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:51.112{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D08B637D195AEB636A6D8CF15E753A7,SHA256=9CBEE177ED9A23A22A06A55653E562F70B7F3629E393D2B7A5CD40CEAB63BC10,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319527Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:52.130{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E939624CE438B41CAE217F1964C7850,SHA256=4CDE981553E04C9D53D9D46B65257E218E6BA103DA4F458A11AD6C94B568031C,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319529Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:53.379{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52802-false10.0.1.12-8000-
23542300x8000000000000000319528Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:53.144{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A316F8A6F862717D728172489158D47,SHA256=9669332CF938D0250C69B685F0DC6A3BEC0655FA12A32044142DCFEE1EF13792,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319530Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:54.175{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA4DE9728A4E56110A537B38A7ABC05,SHA256=56DF601BB8CC2A2091DA6A09A8E97266E30337F06D0F9770DE4D8523184FDAFF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319531Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:55.175{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643B14BCE1824AFC19FD206A79404ECD,SHA256=7080DC82B84BC15147DA380A05E66AA358F10E80A018CD6AD1D0D6A7E81D2788,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319532Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:56.190{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E37D8D0A115E278496851F3814E004,SHA256=740E97BDBBD359206B1666C53059ED3898DEEB470F7CC7F5F273E5D9A2A031F2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319533Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:57.206{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB511908097BB58C2D0C838BBB3CC84B,SHA256=710B37485F1483B9017FA87A3D6A31638FD9C56E8B88A65F99F567D131EA1C0D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319535Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:58.410{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52803-false10.0.1.12-8000-
23542300x8000000000000000319534Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:58.224{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903BB56C68A65E750F7C285B6FF4EB4F,SHA256=D7698BA4397DBE8645BF51C77A4843B6B8B78026DCC64BEEFDBAB413CEBAC824,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319545Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.503{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319544Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.503{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319543Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.503{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319542Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.503{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319541Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.503{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319540Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.503{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000319539Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.232{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62914D2C851DD40996F6027EDCA1BC14,SHA256=ABAB3D7188DA5DFF57ACD601CF3413D480112FAD62C8C2A473D565C4575DB6EC,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319538Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.206{6A74A0F8-743F-6025-3302-00000000A301}35484808C:\Windows\Explorer.EXE{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a4660|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800978D48D8)|UNKNOWN(FFFFF99A23EB4998)|UNKNOWN(FFFFF99A23EB4B17)|UNKNOWN(FFFFF99A23EAF1A1)|UNKNOWN(FFFFF99A23EB0B6A)|UNKNOWN(FFFFF99A23EAEE26)|UNKNOWN(FFFFF800975EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad
10341000x8000000000000000319537Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.206{6A74A0F8-743F-6025-3302-00000000A301}35484808C:\Windows\Explorer.EXE{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a4141|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800978D48D8)|UNKNOWN(FFFFF99A23EB4998)|UNKNOWN(FFFFF99A23EB4B17)|UNKNOWN(FFFFF99A23EAF1A1)|UNKNOWN(FFFFF99A23EB0B6A)|UNKNOWN(FFFFF99A23EAEE26)|UNKNOWN(FFFFF800975EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000319536Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.206{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF54acccb.TMPMD5=83D1AFAA8D0BB411E55056E5143B15D7,SHA256=C08B97D5CAEEEB6D77A5623B5198A7B8CFA5EFDB389F2615BBAD805E93020D10,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319546Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:00.253{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318A917C0C619FBD136CC493C4658475,SHA256=278BAE646F526699CC1E2B3F1461B92B2DD0C29A27F515D37DF1329D0E0FEA03,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319548Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:01.956{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319547Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:01.268{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A8F609350CDF6404DA15F4D73F832B,SHA256=8555784A78BEAF711608E5FC7E67A4E145AAF312B6AA655E2F7AC4B8065E5BB7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319549Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:02.284{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA4852193AAC6F5A4EEB36DCD498569,SHA256=194F24BE1D468C6292C3CB5D9E1220DF57524FFF1D0B632783806DC4C3FBA1A2,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319551Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:03.113{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52804-false10.0.1.12-8089-
23542300x8000000000000000319550Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:03.300{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC50E33E9514DEF1E080121F07205426,SHA256=88E16F7236AA816AE44B77EFD062A5365E959B035529397268B338888E975E45,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319553Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:04.285{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52805-false10.0.1.12-8000-
23542300x8000000000000000319552Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:04.378{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CE9807C92623007949BD7D6230F801,SHA256=FA8AB1AD9085A6301B7D7702BFC345E1162F4307E8381D602D2BEAA195C9560D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319554Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:05.409{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0C6B0CC2D4C72616E24904FF0FD5BA,SHA256=E5B4532961850B6513DF318F29CA35001AAE99F64BE03827DA58A62FF3A15D32,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319555Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:06.427{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9EE450A17A86098362001A4A834A07,SHA256=9DFA539DFEFB581BB66EF72E73C0DE2585EA736DB0C3D0BA023E43ACEB05AB82,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319556Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:07.456{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63961D4EF8C974CFBA7239306A45EB6,SHA256=CF31C6C52F2AA42D5400C154FAAC19F42CB571D09416CC426D89E959B455D94F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319557Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:08.487{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3538F409D31FBCC8005746C88DCBAE,SHA256=B136A230A836751C45FF9C41F4F378E842C68A160D0CD18345B5555AC2C10925,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319559Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:09.441{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52806-false10.0.1.12-8000-
23542300x8000000000000000319558Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:09.503{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC4C0ACB8C226B222FAE4168D275823,SHA256=72AAF64376305B87827A75A654DEB1E1AE8E846412D020DB90848822D534B9D2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319560Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:10.527{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAFF79408EAEC9F9E03AA06188509D9,SHA256=0BCAA7888E9A0289FFCCD915CEE0E75BF4072C0764DEB47C4AECA4915D760787,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319571Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.752{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF658FF783888C04CDECDBF8910B2B18,SHA256=3D0247804155D793216E180EEEBCF44694F641F967EA8519DB186C421310D71D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319570Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.752{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F849B2F22C82BFD6C40840CC9605012,SHA256=704CAF0B2951446214EF0AA16A28094622F1C4C31105E18A90C4314CAA232B9E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319569Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.549{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62360C8DA90F7E89DD5D674EF7232466,SHA256=4D4F8F129FF049F6924BC7A27C1CD0BA599C4399B37347F18167EA8F6B07245C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319568Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.502{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDE3-6026-732F-00000000A301}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319567Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.502{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319566Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.502{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319565Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.502{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319564Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.502{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319563Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.502{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CDE3-6026-732F-00000000A301}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319562Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.502{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDE3-6026-732F-00000000A301}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319561Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.503{6A74A0F8-CDE3-6026-732F-00000000A301}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000319574Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.910{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52807-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap
354300x8000000000000000319573Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.910{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52807-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap
23542300x8000000000000000319572Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:12.549{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12930900F5E0A3ACEE672ADB875FE8BF,SHA256=DA0A051F9F492C087EBE94F7BB92877ED6FE77123CDE130CF3C73C3CF5C673AF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319575Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:13.581{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F47521C9B90FB22E91B5371F251857E,SHA256=8E99F679C0150E6BF5663395B203D9DE6C359F7F8955113618BA9B8DB9D059A1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319592Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.909{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319591Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.909{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319590Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.909{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319589Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.909{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319588Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.909{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319587Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.909{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319586Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.909{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64)
154100x8000000000000000319585Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.917{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" C:\users\Administrator\Downloads\netconn.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
23542300x8000000000000000319584Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.612{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930271350EDA0E66C7A578F52D335E07,SHA256=8BD7102598FC68749CC36AA32D9A5375D0F62C068F493C692178743E8402D29C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319583Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.332{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDE6-6026-742F-00000000A301}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319582Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319581Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319580Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319579Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319578Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.332{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CDE6-6026-742F-00000000A301}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319577Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.332{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDE6-6026-742F-00000000A301}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319576Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.331{6A74A0F8-CDE6-6026-742F-00000000A301}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000319616Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.909{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A93ED45D964096E3A25738F7DFF31251,SHA256=493AA5C7912B1D458C463DF17EB337A05A2E0538714F492B76D08DD4268A87F7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319615Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.831{6A74A0F8-CDE7-6026-772F-00000000A301}62927800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000319614Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.316{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52808-false10.0.1.12-8000-
10341000x8000000000000000319613Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.682{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDE7-6026-772F-00000000A301}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319612Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.681{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319611Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.681{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319610Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.681{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319609Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.680{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319608Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.680{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CDE7-6026-772F-00000000A301}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319607Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.680{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDE7-6026-772F-00000000A301}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319606Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.675{6A74A0F8-CDE7-6026-772F-00000000A301}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000319605Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.643{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23382519EF91F53D73E738CCBF43CFB8,SHA256=3D9609D10639B4D258E8E17174D10CC33555C645D40DC640CDFF88912CCBA91E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319604Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.177{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319603Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.177{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319602Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.176{6A74A0F8-CDE7-6026-762F-00000000A301}69967432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319601Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.151{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319600Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.002{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDE7-6026-762F-00000000A301}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319599Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.002{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319598Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.002{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319597Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.002{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319596Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.002{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319595Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.002{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CDE7-6026-762F-00000000A301}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319594Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.002{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDE7-6026-762F-00000000A301}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319593Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.003{6A74A0F8-CDE7-6026-762F-00000000A301}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000319630Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.706{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E18648C1405AED27028D64F3168D6BF,SHA256=71AB61EE3EC5FD35E0564C49AB76D324D08DD7E167974C6DF6FB66E67D53055A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319629Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.502{6A74A0F8-CDE8-6026-782F-00000000A301}56085300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319628Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.346{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDE8-6026-782F-00000000A301}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319627Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.346{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319626Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.346{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319625Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.346{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319624Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.346{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319623Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.346{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CDE8-6026-782F-00000000A301}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319622Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.346{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDE8-6026-782F-00000000A301}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319621Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.347{6A74A0F8-CDE8-6026-782F-00000000A301}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
13241300x8000000000000000319620Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localT1122SetValue2021-02-12 18:50:16.277{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeHKCR\WOW6432Node\CLSID\{701F1B61-77A1-3F20-8968-E41B6B14B2C2}\InprocServer32\(Default)mscoree.dll
10341000x8000000000000000319619Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.276{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e
10341000x8000000000000000319618Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.252{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e
10341000x8000000000000000319617Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.252{6A74A0F8-B03D-6026-B92B-00000000A301}41085596C:\Windows\system32\dllhost.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\COMSVCS.DLL+15400|C:\Windows\system32\COMSVCS.DLL+8c3e|C:\Windows\system32\COMSVCS.DLL+6b650|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a
354300x8000000000000000319650Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.470{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-444.attackrange.local52809-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https
10341000x8000000000000000319649Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.862{6A74A0F8-CDE9-6026-7A2F-00000000A301}43166264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319648Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDE9-6026-7A2F-00000000A301}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319647Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319646Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319645Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319644Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319643Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CDE9-6026-7A2F-00000000A301}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319642Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDE9-6026-7A2F-00000000A301}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319641Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.706{6A74A0F8-CDE9-6026-7A2F-00000000A301}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000319640Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98D8EF86B0EBF5883D85A90FC7121A9,SHA256=9C6495A340DBA70EAEB08ED70CC93C6DD40340DFC2E2F92F233D1F4D4CE4C431,IMPHASH=00000000000000000000000000000000falsetrue
22542200x8000000000000000319639Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.374{6A74A0F8-CDE6-6026-752F-00000000A301}6016WIN-DC-444010.0.1.14;C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
10341000x8000000000000000319638Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.018{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDE9-6026-792F-00000000A301}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319637Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.018{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319636Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.018{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319635Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.018{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319634Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.018{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319633Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.018{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CDE9-6026-792F-00000000A301}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319632Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.018{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDE9-6026-792F-00000000A301}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000319631Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.019{6A74A0F8-CDE9-6026-792F-00000000A301}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000319652Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:18.830{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e
23542300x8000000000000000319651Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:18.705{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00CB9B39588E8973E32D15363D2C4224,SHA256=6351E21ADCFBDB4757E2C6FCB83668B0F2F0E045CB0562CDAF161CC0F06181D0,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319659Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:20.020{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52810-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local445microsoft-ds
354300x8000000000000000319658Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:20.020{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52810-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local445microsoft-ds
23542300x8000000000000000319657Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:19.846{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12B77281EC5B5C21C9D498F24A87ACF8,SHA256=FD07A67BE0561C85B47E5A280A56BC976E94EEC175F8B478A2E105B79D31F247,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319656Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:19.846{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF658FF783888C04CDECDBF8910B2B18,SHA256=3D0247804155D793216E180EEEBCF44694F641F967EA8519DB186C421310D71D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319655Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:19.721{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BD7DB552DAA9D83D4639587A2D2E81,SHA256=F763ED49C44D415B61BF7F146182E3F8285A75AEE3C1E693264AB4650F4BC860,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319654Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:19.502{6A74A0F8-730C-6025-1600-00000000A301}15324516C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319653Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:19.502{6A74A0F8-730C-6025-1600-00000000A301}15324516C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000319660Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:20.737{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230E5D3C96E335EDAF56358EAA72774C,SHA256=386B6BA9C1392F9A6E681C8B505A98BB9FCBAC7AAB02AB739C7E8A5FB6D7420A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319662Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:21.737{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27741B388A34929A972C101D19346F78,SHA256=A02D6BE4714AEC26AC1936D02264250FC1829099B155797BB5856326BCC2741E,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319661Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:20.425{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52811-false10.0.1.12-8000-
23542300x8000000000000000319663Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:22.752{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BC8340D8EBAACDB52B9F7BD45F0C0D,SHA256=013DECCD6CA9E552A03D5A7AEA5A92B3972969F61DC8DE5C271F29BAAF31E337,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319664Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:23.770{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4BDF80F63DFB9178A91C42CC2F9248,SHA256=DFAB2E8C06DE6183EC05960BB4619D6AE99963D03ADA263DE3B0D2889B715722,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319665Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:24.799{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28627D9DF4EB3DB2440B35C7A86115A2,SHA256=7B175F237CD319A56B9B0798498B2D8F4B2F1675D63D370078628E185A7397F8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319666Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:25.830{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA0EFE39A46698F62FF2552703A122A,SHA256=433A07085FCC5D0CF319C9F5EE4E61C8F7E9DCD6E0377290B720B9B6C0B776B9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319667Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:26.862{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A10D4ED851F3504736F5E85C872F9B4,SHA256=C6D7998F4A9287BB6FF169760EB2701EA6B80EB398361F90B03782B4E334FF39,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319670Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:27.893{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2BD2BD4041D7568D143CAE816A8A6DC8,SHA256=0C6C9D7454DBDF96113E4BA3D37F947E99557F5E627E92811C946E680DB77202,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319669Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:27.893{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70240C6D4DA0C2DEF002929F8C11206,SHA256=907AFA9409FEA6C0F17226DA616BC766100B7F49080B78C7B69A3A73DDCFA625,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319668Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:26.300{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52812-false10.0.1.12-8000-
23542300x8000000000000000319671Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:28.924{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F61EC1331F9838E1EEB067CD70DC91,SHA256=4E8A837CE70B45E6E2D81E530A375C6D2F63624A911544D975EA99AA0151F6BD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319672Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:29.955{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C4B21456641652E40A0E0EA8364DFA,SHA256=6E7ECEF0FFBA691E54770673D11EDF550FAB996FFD9299713B28E92737D0BC70,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319677Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:30.581{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2463DA43D9B75F2E5EFEFE68A4A87907,SHA256=0C42F15EAE479AB6582BEEA2716FFDF59789F5E4F5AF32ACF21B8BC3496614A1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319676Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:30.581{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12B77281EC5B5C21C9D498F24A87ACF8,SHA256=FD07A67BE0561C85B47E5A280A56BC976E94EEC175F8B478A2E105B79D31F247,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319675Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:30.455{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319674Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:30.455{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319673Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:30.455{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000319678Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:31.002{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D2BE5C60624B1E1D5480FDCB7E8590,SHA256=9735BC03CDF34233AD5965FBBC35F7CC1E658C511347C9ABC843AD01C15977D3,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319680Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:31.363{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52813-false10.0.1.12-8000-
23542300x8000000000000000319679Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:32.033{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B462B7A341726494F199752C055264,SHA256=B1B6366F3FC9B5DA986E24AE60BC334C5FBB6B705AD265095AFFB3169B400D16,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319681Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:33.064{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CCDF84C366155677D847147004C403,SHA256=B64A483F100B2D9C6519EC0F7AE9794FCE65D75B5F11F321948E0B657D019E04,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319690Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319689Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319688Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319687Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319686Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319685Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319684Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64)
154100x8000000000000000319683Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" /U C:\users\Administrator\Downloads\netconn.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
23542300x8000000000000000319682Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.096{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1AACE1CB8CCB1681FBFEAC98EF0303,SHA256=8DEB452FE2E06FD61EFB144E22A3750A0FFAC1EE67BE10D242856D00C898DF08,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319695Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:35.893{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8EC52F263ACC98CE157131D8C15EFC27,SHA256=D946127C59F5ABA0845833E0516430E4C0003D6BEF9A4150EECBFBD2062CAA57,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319694Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:35.143{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319693Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:35.143{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319692Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:35.111{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000319691Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:35.111{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99665C544C907AB0DD2BCFADF2684C3,SHA256=A61B8DBF5F96966E205673E1A79D190C8EFFB13DC9401DF9B176596DAFAE5FE2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319700Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:36.221{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e
10341000x8000000000000000319699Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:36.205{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e
10341000x8000000000000000319698Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:36.205{6A74A0F8-B03D-6026-B92B-00000000A301}41085596C:\Windows\system32\dllhost.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\COMSVCS.DLL+15400|C:\Windows\system32\COMSVCS.DLL+8c3e|C:\Windows\system32\COMSVCS.DLL+6b650|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a
13241300x8000000000000000319697Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:36.205{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7016f-0xf3168750)
23542300x8000000000000000319696Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:36.127{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418F19C5261B47B180561BB99CEF80B6,SHA256=271BBBC56D780A57A05858D740E34A2F068351B587C95FF14CD9CA0A763B7ED5,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319704Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:36.409{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52814-false10.0.1.12-8000-
23542300x8000000000000000319703Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:37.299{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=42E3A21BBC2EC4E44762186562E06EF2,SHA256=7603A54E66BCE0297C20C7AD42B828F891424A6B6EDF6D37F0DBE347B0F1F9DF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319702Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:37.205{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA5DF44BCC61B2198F1B9A9D5453E1F,SHA256=22CABE00196AE4E1BD4A19EE864104F60EDBAD1FFB6F3A71DA4269AC04D095E0,IMPHASH=00000000000000000000000000000000falsetrue
22542200x8000000000000000319701Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:36.346{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108WIN-DC-444010.0.1.14;C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
23542300x8000000000000000319705Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:38.237{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C186D603C134276DFD8E9F53E318B1,SHA256=F9D2B7A85D718F3A82D84168AF87934FE827D8609725DC1F6FF919E7679F4DC6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319706Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:39.299{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4FA9D14929D99C2B3B0C825C9244F88,SHA256=2A76CC395109C7CE41CC0DCC08BFAD2DE3D041776A9FC9D198AF7D1AA544AFB5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319707Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:40.315{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456D4E2C6D725280634498241BDE95D4,SHA256=D18631BF8E51233DE44947E6DD29EAF58583EE1BDC480907F8327DBE3DD76A1F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319709Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:41.674{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CB600AD46912E438626B4DE3EF6B2541,SHA256=5CB29415EC602540468D71F060F1DAADD5F08E8F61937B7592E009F55D442334,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319708Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:41.361{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F87D67E48EBE23D3107813C3EA149D,SHA256=B8FEC4450C75A77F4B2FBB8E980F1C68926A151E8947BC0D618FF7711663BB4C,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319711Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:42.269{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52815-false10.0.1.12-8000-
23542300x8000000000000000319710Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:42.379{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA38839344D47F3DAD67C2066175292,SHA256=BCDDA6FF1FDA8B004B217187951E2CF90BC3EF95D795D71277B9F2933CFC7278,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319712Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:43.381{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD83E1070CCD8617C3BA04CB95354242,SHA256=E2226A1FD89F6CAF36DB9926F236657C3D3EA07110B956F5701706F9AE8E7EDA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319713Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:44.393{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECD467DDE2DD09918CDC0C27253026A,SHA256=2E6A71517CB79CC0452B85073F3E91099EE5DBF7858C4D5B33FF9F7998F144AC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319714Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:45.408{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC3D1642F594CD0E88906A8A866BED0,SHA256=14A1E42DEDA751B15E09F9381B5CAF211E91EF5D8DC9C291785F92D7C1222953,IMPHASH=00000000000000000000000000000000falsetrue
13241300x8000000000000000319725Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006)
13241300x8000000000000000319724Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x054b8638)
13241300x8000000000000000319723Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70167-0x9758796d)
13241300x8000000000000000319722Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7016f-0xf91ce16d)
13241300x8000000000000000319721Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70178-0x5ae1496d)
13241300x8000000000000000319720Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006)
13241300x8000000000000000319719Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x054b8638)
13241300x8000000000000000319718Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70167-0x9758796d)
13241300x8000000000000000319717Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7016f-0xf91ce16d)
13241300x8000000000000000319716Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70178-0x5ae1496d)
23542300x8000000000000000319715Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:46.424{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B16C4131410471093DE5031E9CC81B2,SHA256=46D75529BF798A9CF6BF8E98B0B3615E85A09F3ADD94B5458E43D9E3677FBE8A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000319727Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:47.347{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52816-false10.0.1.12-8000-
23542300x8000000000000000319726Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:47.455{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02212EC12A52A81D1823CA642FCA119,SHA256=E4277F7035E4791ECB547F80B976C125C3A7DA13B43B09814F5E327755EB6121,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319739Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.478{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3A86062FAA96D76E242D9CF1F1A30C,SHA256=843520505B5DB651CADFD6A017768404A348A6B0A2FAEFDA488187E721579E3C,IMPHASH=00000000000000000000000000000000falsetrue
13241300x8000000000000000319738Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localT1122SetValue2021-02-12 18:50:48.361{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exeHKCR\WOW6432Node\CLSID\{701F1B61-77A1-3F20-8968-E41B6B14B2C2}\InprocServer32\(Default)mscoree.dll
10341000x8000000000000000319737Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.361{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319736Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.361{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319735Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.299{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319734Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.299{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319733Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.299{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319732Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.299{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319731Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.299{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319730Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.299{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319729Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.299{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64)
154100x8000000000000000319728Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.302{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Assembly Registration UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" C:\users\Administrator\Downloads\netconn.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=F9962526636C4082079C16F5CBD18A21,SHA256=193D0E779528278A422C64E94D9D8AC623FCB1323038D33D2B820EAD608EF515,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
354300x8000000000000000319742Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:49.571{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-444.attackrange.local52817-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https
23542300x8000000000000000319741Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:49.502{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E711A2BBE5758207F4878EFB65DAB0,SHA256=403DA2F8024823ED6F53A399C75DFD49B09532C5705177C0D9F1809745197BE1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000319740Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:49.330{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B44483AA09AD3D69E6B583DD7731DA84,SHA256=641BE8F9ABC52285C94463C76B2709623085B1FFD4C11C71ABB9BCE0356D8321,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319798Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e
10341000x8000000000000000319797Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e
10341000x8000000000000000319796Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319795Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319794Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000319793Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5652DD91D336B3D2A25B17DFC97B04DC,SHA256=3122516222A2A70C034F7AA5DB1DB84B3A87CEC84BEBB4C5A3C30491B181FCB1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000319792Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319791Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319790Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319789Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319788Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319787Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319786Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-743F-6025-3302-00000000A301}35487408C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319785Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-743F-6025-3302-00000000A301}35487408C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319784Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319783Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319782Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319781Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.681{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319780Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.681{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319779Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.681{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7D2F-00000000A301}7416C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319778Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.681{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7D2F-00000000A301}7416C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319777Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.681{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7D2F-00000000A301}7416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319776Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.681{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CE0A-6026-7D2F-00000000A301}7416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319775Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.680{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CE0A-6026-7D2F-00000000A301}7416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000319774Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.680{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7D2F-00000000A301}7416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319773Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.658{6A74A0F8-743E-6025-2802-00000000A301}36927104C:\Windows\System32\RuntimeBroker.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d
10341000x8000000000000000319772Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.658{6A74A0F8-743E-6025-2802-00000000A301}36927104C:\Windows\System32\RuntimeBroker.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d
10341000x8000000000000000319771Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.658{6A74A0F8-743F-6025-3302-00000000A301}35487408C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319770Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.658{6A74A0F8-743F-6025-3302-00000000A301}35487408C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319769Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743E-6025-2802-00000000A301}36927104C:\Windows\System32\RuntimeBroker.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d
10341000x8000000000000000319768Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743E-6025-2802-00000000A301}36927104C:\Windows\System32\RuntimeBroker.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e
10341000x8000000000000000319767Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e
10341000x8000000000000000319766Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319765Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e
10341000x8000000000000000319764Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319763Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319762Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0D00-00000000A301}9885324C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319761Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0D00-00000000A301}9885324C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319760Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0D00-00000000A301}9885324C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319759Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0D00-00000000A301}9885324C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319758Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0D00-00000000A301}9885324C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319757Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0D00-00000000A301}9885324C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319756Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0C00-00000000A301}6081076C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319755Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0C00-00000000A301}6081076C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319754Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0C00-00000000A301}6081076C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319753Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc
10341000x8000000000000000319752Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc
10341000x8000000000000000319751Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc
10341000x8000000000000000319750Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319749Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319748Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.611{6A74A0F8-743F-6025-3302-00000000A301}35486928C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319747Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.611{6A74A0F8-743F-6025-3302-00000000A301}35486928C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000319746Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.611