23542300x8000000000000000319157Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:35.116{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8CB410E8E08D6B4B442E8C8F700F0D,SHA256=D5F90BBB28B2CDA2BFF5A79E51A3E29CFD3C61360190D5D9672790B9D99A33D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319158Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:36.119{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169D2E51688FE2BD70BE1E5537CECE05,SHA256=09B52CA8E5B483C279AA914473F2F109D1FB0D5A3B3ABBEC48333BA65385B0E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319159Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:37.177{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28473CCAC1E1FA15B07D8DB5F2932F41,SHA256=50B2F397E8122DAB9C1D27FA1BAAB69EE0A5FCC5676AA4CD08B158B08A469080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319160Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:38.210{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F92ABEAD9631003C646CD1C65533526,SHA256=059A6E986AF82FF422EC8908461B1EC586FC1CA773FF9136D4F5B525925D79E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319161Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:39.270{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0438D3C121BC65EA4B37999832EB7636,SHA256=1FE0AF2747413BC5A5F479257D3F3BD7930569AB9A9CAEC671DD534A212564CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319163Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:40.270{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5CC750EED913E773FAC8DB556EAF27D,SHA256=B5D24AC45851A0E40595D3C699AEAA443CBCD4DBC73D038B7645D1BD59E9B662,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319162Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:39.270{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52783-false10.0.1.12-8000- 23542300x8000000000000000319165Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:41.645{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=01A7B4A4F51CCBC166796026704D0F5A,SHA256=D8BAA9EE378FF9512EB8056AAF41ED7C099C5803A8C2352E7B50768EC076E91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319164Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:41.302{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC2E70EC9918F3C9BA8CE2FC5D4A590,SHA256=8BC0431B2C92D401C519FD1FB917654B83D6FA030ED312E554934C789A5965CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319166Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:42.320{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D27140625B3D629522780590369C53,SHA256=5555BBBF402F8577E5FBF40DE35CF66FCF114655093495724C393BAD873A0C3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319167Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:43.333{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107F9B46ED058742AA5E7B28C03EDBE8,SHA256=E515FFA142276C6FEC0DE7217B248C04B3A4BCEE6F6C280FEAB988C58F03002C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319168Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:44.348{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4844E5DA0966539F693E5EAE9E7A334C,SHA256=2DECF2EABD73D1E83D53644824EC26FBCFC7ECA4EE8D70642B18B5F6CF9A1F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319170Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:45.348{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B29CE9CBF4D7DF12246D7EF18302498,SHA256=249D7C90F821E6555D8C74C046F22DDADF6037608710989EBC053DD4F6948306,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319169Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:44.379{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52784-false10.0.1.12-8000- 23542300x8000000000000000319171Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:46.364{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96AFB005CB798093AC7FE380A1577C0E,SHA256=BC70309B9308A7369ADD2EDC7AD03C9008FEBBB6B98EBA54EF3E23BF6CE5D2AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319172Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:47.380{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48E11B693B53437569889C9EC9FC0E5,SHA256=B5ECF983E9BAD0BF874005C917A36D3BBE26897F486F811A48005EC816CC2E73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319173Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:48.395{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF0C5933815800E39886D7676A30E85,SHA256=86B2CC3BD5346DA0B19A7F2BF20F2EC8FE2AF57F22C607DA8FC862B578A5F80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319174Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:49.442{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE85CEB77F1962AC8F69871B84293C52,SHA256=4E39E6CC0149C196F25533A92C0112F249B98A460555D4B1A99E8476DC5CF738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319175Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:50.473{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193F42C5DF83A9FB78BE059217B5ACBE,SHA256=88B896EECAFE29A21AF89DFDECE489047B61E2E4067D0E725F465AB52EFFC1B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319177Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:51.504{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919BCDB10D56C7EA3A3380460A9C6EB7,SHA256=9C88B7CD3E14757CB63CC21C9A61C14487BA32C7DDAD646813FFF32DBB8E9CF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319176Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:50.255{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52785-false10.0.1.12-8000- 23542300x8000000000000000319178Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:52.536{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3879F3E88AA0C1765026FA684C51A1,SHA256=A9D4ED03F3FA7FEE70FB74022E3D8C41C3C4CB700FE9756C9A6A77793A487635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319179Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:53.551{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F4819F332E833CDFF712E6CDA7473A,SHA256=54A9D724AE6DD38D4A89D439125609952353035CD4F759C63AFAE9AE5DD76AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319180Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:54.551{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A188A0DB168871C8368958043614B68C,SHA256=6606495338DF96808BDD84B6F75588A78D4D7B3CF32C3AAC7576ADAAA3CFED6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319181Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:55.551{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BA87074B518024E3AA632AF1F2B400,SHA256=0F497F78B5E6A31481CEE357C77AD43FCCC1D37BEB4EE8ABA1F7CCB2787A6CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319183Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:56.551{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370D33197C71756792C181A637ED0AAA,SHA256=E42E9D07EC111D0CC1B24BC4F61FD34790F2885FE39E4469369ECA15989FF004,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319182Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:55.348{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52786-false10.0.1.12-8000- 23542300x8000000000000000319184Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:57.567{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A06D105206816AC4AB4187692D864D,SHA256=1133B86DB959B6CBE5577061B9385EED80C5A01A0E592ABBE2D9FBF721F1C745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319185Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:58.598{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA40E346754D9C60CCE1CB5CA9BEFDE,SHA256=D1B2F233A7DE8A5395F5F52CC3C9F91D7907A25DD8D5877FCB9C49A56E0FA1EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319189Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:48:59.598{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CE8CEEBB2983CC31510278550CC631,SHA256=3DFADE9A94FE0B24CE53E4CA05536701191581FCFAA9DE2099407B1E68545A58,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000319188Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:48:59.301{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\0C308890-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_0C308890-0000-0000-0000-100000000000.XML 13241300x8000000000000000319187Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:48:59.301{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\507F12B8-B6C3-4DDA-9A72-7DBC3B0C5E1C\Config SourceDWORD (0x00000001) 13241300x8000000000000000319186Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:48:59.301{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\507F12B8-B6C3-4DDA-9A72-7DBC3B0C5E1C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_507F12B8-B6C3-4DDA-9A72-7DBC3B0C5E1C.XML 23542300x8000000000000000319192Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.645{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642C09217EA1F39B313875E0D43B1EC4,SHA256=A7FA3957BF40AB8D777EA87A8EFE4AB58594CCEC9BFBAA8B760D420A9B39BFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319191Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.323{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A565AD2A455CEA1CA7ABC35262BB8E06,SHA256=594395BB30AB82150234B7457D420A9B519D1ED8FD2B1955A54D20C6AA52E96A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319190Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.323{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D4115DB49D651D0F0A071D739F2E31E,SHA256=873B73B68847B82F621AA7B9005D508AA9B5A934CB11DE36BF751394CDEE95E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319201Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:01.918{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319200Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:01.692{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1227FD8293882298BECAD5AAAEE41D1,SHA256=36D849A939884086234D0C03CAA8DB6BECCDB89521DFCBF6E12F174C3368A0C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319199Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.510{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52790-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 354300x8000000000000000319198Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.510{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52790-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 354300x8000000000000000319197Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.504{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52789-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 354300x8000000000000000319196Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.504{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52789-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 354300x8000000000000000319195Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.490{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52788-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local135epmap 354300x8000000000000000319194Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.490{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52788-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local135epmap 354300x8000000000000000319193Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:00.426{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52787-false10.0.1.12-8000- 23542300x8000000000000000319202Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:02.692{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3D87AE52AA4FE40A936FB830B0B52E,SHA256=84B4CF198DEE780742E662F5E919FD23210EBD828ABC4C0BD6EBB1CB88F648BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319204Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:03.709{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA0DFA2B2885D1947D2755DC98A2CD0,SHA256=EAF7550A1D2101338C0FDB4E9E8DFD883FE4D80B36A266379C07D566B56DF51B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319203Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:03.099{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52791-false10.0.1.12-8089- 23542300x8000000000000000319205Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:04.722{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B44ACF0E010FDC1B5C37AA958DB6E70,SHA256=87C2C6F1243DD6F8C42015A3910A42FDDD4A4DD627C4A0446BAD8FB3082D82EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319206Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:05.785{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8C35E960A33A870459807A551AA9E3,SHA256=094970030661C3D65053390C12199129EFA8BDE99320BD23235A7EB88747AA5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319209Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:06.801{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31A2A6BCA1B9FD6D20C7BE87C2E39DC,SHA256=BDE764AB0A49F42B51B7C656049FEA474885AC943C5CB4E57FDE5E5E691AC44C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319208Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:06.270{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52792-false10.0.1.12-8000- 23542300x8000000000000000319207Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:06.582{6A74A0F8-743F-6025-3302-00000000A301}3548ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319216Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:07.821{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920B54B2B40737180D68D6E064BA02E2,SHA256=580C369B9A03B043C5D20317939EFA420D8295AF5D481C1AB60B69D2693E0A2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319215Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:07.176{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319214Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:07.176{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319213Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:07.176{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319212Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:07.176{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319211Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:07.176{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319210Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:07.176{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319217Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:08.832{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861300A283306190EB671E747429AA3A,SHA256=1B5B37EEF0EE3BA8B7D91D17DCADB26A93FDC1A26FC6D9E1C5F1FC80410614E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319218Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:09.863{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDDD278F0F405117BF18EB00E129FF40,SHA256=5B585C147BAB03C0E5B2F9C51A2E37B8AC92E09EFEA41B44F7713D2C8DD1C40F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319219Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:10.879{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E0D7FE6C98AB15C489FD5E9282D4C0,SHA256=D9C5031318B232929978E101686ADDD130EE32548FE9C293553C1CED6DDF04F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319231Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.895{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F06F744C39BE8CB1F3762F753CC70B0,SHA256=1E704567B8FD2277B39393B6D5EC78EBBD155C94BB37D9098DE7A39D7A09CF73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319230Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.738{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=083F7E15AF28D99A7AD1B66933F1C811,SHA256=1D57B680326F2326949D8165AFFA03ACA16B091AE3215DABDB92E33602CEDF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319229Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.738{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A565AD2A455CEA1CA7ABC35262BB8E06,SHA256=594395BB30AB82150234B7457D420A9B519D1ED8FD2B1955A54D20C6AA52E96A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319228Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.332{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52793-false10.0.1.12-8000- 10341000x8000000000000000319227Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.504{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDA7-6026-5E2F-00000000A301}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319226Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.504{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319225Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.504{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319224Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.504{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319223Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.504{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319222Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.504{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CDA7-6026-5E2F-00000000A301}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319221Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.504{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDA7-6026-5E2F-00000000A301}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319220Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.505{6A74A0F8-CDA7-6026-5E2F-00000000A301}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000319234Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:12.913{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F746F01C73B92AC21440F5A047BE85F,SHA256=A56A6D63DA390AC9AB07783636EE6770EB3674D873CBCA7ABABA54A6E453836A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319233Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.895{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52794-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x8000000000000000319232Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:11.895{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52794-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 23542300x8000000000000000319235Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:13.922{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF212A8BADC98DFFCED537CE31613CCF,SHA256=08B87B9098FB42C8077CE5F0105EF7A7CB0D28B6FE217D0973636FF059039C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319245Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.973{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A4B6E8240F851CCB7E3DE608CC2808,SHA256=048D5CFECBB54AB5BDC4B65870F08FB90B712D7D36722EA2501F8F2583925DB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319244Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.488{6A74A0F8-CDAA-6026-5F2F-00000000A301}2082172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319243Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.332{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDAA-6026-5F2F-00000000A301}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319242Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319241Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319240Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319239Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319238Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.332{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CDAA-6026-5F2F-00000000A301}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319237Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.332{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDAA-6026-5F2F-00000000A301}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319236Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:14.333{6A74A0F8-CDAA-6026-5F2F-00000000A301}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000319264Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.988{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB1DBE71F3B49F9C1D314C2C22A3104,SHA256=FD342B2D5085F84DEE9CD39A7F497DCDA81584001C17B0C7A28E644DA25A8066,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319263Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.848{6A74A0F8-CDAB-6026-612F-00000000A301}31767248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319262Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.676{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDAB-6026-612F-00000000A301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319261Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.676{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319260Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.676{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319259Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.676{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319258Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.676{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319257Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.676{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CDAB-6026-612F-00000000A301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319256Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.676{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDAB-6026-612F-00000000A301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319255Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.677{6A74A0F8-CDAB-6026-612F-00000000A301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000319254Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.176{6A74A0F8-CDAB-6026-602F-00000000A301}74003968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319253Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.004{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDAB-6026-602F-00000000A301}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319252Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.004{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319251Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.004{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319250Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.004{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319249Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.004{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319248Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.004{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CDAB-6026-602F-00000000A301}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319247Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.004{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDAB-6026-602F-00000000A301}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319246Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:15.005{6A74A0F8-CDAB-6026-602F-00000000A301}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000319282Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.957{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDAC-6026-632F-00000000A301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319281Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.957{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319280Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.957{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319279Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.957{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319278Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.957{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319277Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.957{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CDAC-6026-632F-00000000A301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319276Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.957{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDAC-6026-632F-00000000A301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319275Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.958{6A74A0F8-CDAC-6026-632F-00000000A301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000319274Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.410{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52795-false10.0.1.12-8000- 10341000x8000000000000000319273Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.441{6A74A0F8-CDAC-6026-622F-00000000A301}56125300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319272Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.285{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDAC-6026-622F-00000000A301}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319271Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.285{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319270Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.285{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319269Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.285{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319268Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.285{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319267Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.285{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CDAC-6026-622F-00000000A301}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319266Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.285{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDAC-6026-622F-00000000A301}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319265Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:16.287{6A74A0F8-CDAC-6026-622F-00000000A301}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000319291Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.457{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDAD-6026-642F-00000000A301}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319290Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.457{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319289Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.457{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319288Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.457{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319287Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.457{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319286Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.457{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CDAD-6026-642F-00000000A301}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319285Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.457{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDAD-6026-642F-00000000A301}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319284Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.459{6A74A0F8-CDAD-6026-642F-00000000A301}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000319283Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:17.004{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31399BD6973003344B426564B709E81F,SHA256=E3DDFCB11888904C5853A9433B7F912BA2EE4D033CA6E96292A4DD14A2EE8D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319292Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:18.022{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC00500CD346835F35D0FF428AF42039,SHA256=7662A1078EBAA2755900FDADF629C0E2306DCA1C221268C3091973C683117203,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319321Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.551{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319320Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.551{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319319Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.551{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319318Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.317{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319317Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.301{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFD873757E3) 10341000x8000000000000000319316Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.301{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319315Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.301{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319314Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.301{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319313Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.301{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319312Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.301{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319311Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.301{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2378a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c235fe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ca5e2a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c1c1e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d53d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c514b8(wow64) 154100x8000000000000000319310Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.303{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000319309Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.209{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDAF-6026-662F-00000000A301}4048C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319308Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.207{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319307Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.207{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319306Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.191{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319305Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.191{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319304Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.191{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CDAF-6026-662F-00000000A301}4048C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319303Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.191{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDAF-6026-662F-00000000A301}4048C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c97832ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c243f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64) 154100x8000000000000000319302Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.201{6A74A0F8-CDAF-6026-662F-00000000A301}4048C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\Downloads\Alby_0.7.0\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000319301Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.176{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDAF-6026-652F-00000000A301}4172C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319300Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.176{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319299Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.176{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319298Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.176{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319297Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.176{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319296Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.176{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CDAF-6026-652F-00000000A301}4172C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319295Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.176{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDAF-6026-652F-00000000A301}4172C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c97832ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c243f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64) 154100x8000000000000000319294Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.182{6A74A0F8-CDAF-6026-652F-00000000A301}4172C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\Downloads\Alby_0.7.0\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000319293Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:19.098{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2388D461B958AB59C9D169D4A9B37F,SHA256=6F5247BAB17092BFBBA5DA6D1DD540B44C3FABC6A0A187986CC6BB74C5FB47B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319343Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.932{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319342Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319341Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFD873757E3) 10341000x8000000000000000319340Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319339Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319338Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319337Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319336Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319335Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2378a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c235fe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ca5e2a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c1c1e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d53d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c514b8(wow64) 154100x8000000000000000319334Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.879{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000319333Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.827{6A74A0F8-CDAF-6026-672F-00000000A301}6288ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319332Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.734{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319331Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.734{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319330Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.675{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319329Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.675{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000319328Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-CreatePipe2021-02-12 18:49:20.591{6A74A0F8-CDAF-6026-672F-00000000A301}6288\PSHost.132576293593034149.6288.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000319327Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.574{6A74A0F8-CDAF-6026-672F-00000000A301}6288ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_4pvicgh4.n15.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319326Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.573{6A74A0F8-CDAF-6026-672F-00000000A301}6288ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_l5ndysud.aka.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319325Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.344{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=07F7E1A9849D6DCB5886891F2F78C097,SHA256=BBBCCE663678CC03AAE625A9DF44E349BBDF724064E0A889F1B9D039F94AAD0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319324Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.343{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD3C433506DAFB92A7CEBA8D2AC3FDD,SHA256=E438FB641855FBD11664723FCAD5A6C7F6EFDBA4F025C9C678FBE22BA8C6B7D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000319323Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.301{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_l5ndysud.aka.ps12021-02-12 18:49:20.301 10341000x8000000000000000319322Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:20.188{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CDAF-6026-672F-00000000A301}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319354Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.457{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=55B72F7D48E8D9673C5E2BF9F5652908,SHA256=B8DAC096683E6089D6D764D4B1D989508593F8E2CEBB4786BC61CA4323117487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319353Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.457{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40E01332EA226C1B70BD54CA7002E1D,SHA256=859BC7051E49670E48D76CCF85794D8033E7435E4054442CCE9757DDFB8D63AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319352Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.301{6A74A0F8-CDB0-6026-682F-00000000A301}8100ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319351Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.233{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319350Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.233{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319349Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.191{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319348Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.191{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000319347Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-CreatePipe2021-02-12 18:49:21.176{6A74A0F8-CDB0-6026-682F-00000000A301}8100\PSHost.132576293608798144.8100.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000319346Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.160{6A74A0F8-CDB0-6026-682F-00000000A301}8100ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_bdyisypx.3sl.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319345Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.144{6A74A0F8-CDB0-6026-682F-00000000A301}8100ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_x0vy5zne.jcf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000319344Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:21.144{6A74A0F8-CDB0-6026-682F-00000000A301}8100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_x0vy5zne.jcf.ps12021-02-12 18:49:21.144 354300x8000000000000000319357Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:22.238{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52796-false10.0.1.12-8000- 23542300x8000000000000000319356Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:22.316{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=62D0934DFD265B175218B0F8A5A9A407,SHA256=A32C00C6B4588362804019F1F167B4234579853D6BB21201611904F0D41D62D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319355Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:22.269{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4364D09622F3AD821CFE1C51D5F7C07C,SHA256=7AFBE1E06C39A61E6DAAFC322B1379A5E29DE4608DB3BD450166FAC13177DE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319358Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:23.301{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2277A279211C180DE3DA955D86BBB1DC,SHA256=2D6D133C4952B0A67E2CAF72F7091DE22A408F96ACE59D8FB97CFACB49ED32B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319359Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:24.316{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22947B8891A06AB1E51C4127A59F78AE,SHA256=FE2D5E8CD8DD183C98F45EEC2ECDAB3662432FFC77722E2FD9B69B7410C31B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319360Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:25.363{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4568C55D70682EB0F48944043973C504,SHA256=BB55BA229821A35B8D5114ADD263B77845D3B65636B4418213FCAC244F23A34F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319361Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:26.379{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8BBBB7E5270B8332E872B5EF7970EA,SHA256=3AA156FD9226F917211CDB72FE257EE00D45E04E4D410480E8F97CFE91AE6D1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319363Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:27.301{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52797-false10.0.1.12-8000- 23542300x8000000000000000319362Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:27.394{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9ED1DAB021643B761C6A9D1052C109,SHA256=298504F0B3E9DBF43866C1D6C13407F546A82981A42338D54F18C1195E174E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319364Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:28.410{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A50FA634866812BE65C6D6E0EF58BDB,SHA256=DB329991A720298FD9904628C5FF8FF5E3796E299994774AF731C16B122E5F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319365Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:29.428{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAECDDC9E37EC9088674B7EC05154DEE,SHA256=04BE3BA2D8F065F9E0858CB4CB4FD5E216154D653EFC7878201828266003A5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319366Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:30.457{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC1734726328A7AA6B9AF2E6618E025,SHA256=F6158EE8CD50953136934F269C3E113418FBADC92265ED8A627B656B3C2FEF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319367Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:31.457{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9B2A46FB09D55DE65BBDE915A7E7A8,SHA256=6FE154185FFDDB4AFB78341DEF9B963D88E2E210313B956D28850DF83135D942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319368Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:32.488{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C15CAA075C55247DAC8BA1B4EB8010,SHA256=E976208B356E1D8F5F61CC171E371C480BB48C49FD492594414D5F54B80408C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319370Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:33.522{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D0BB4E18F39608BC5F70D90CA2BF9D,SHA256=5CDF9F5B7C7E969FEFA28578F031F483EDCCFC1D36B012AB7FC317867B468DDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319369Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:32.395{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52798-false10.0.1.12-8000- 23542300x8000000000000000319371Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:34.582{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE5F375D7D4C8B6F79B9BF1DC3BA3E7,SHA256=218D11F55F7B8CF93066D365F176AA6A286FD911E2E324C18FF62E432E7BDFEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319372Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:35.613{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D21C7DD7C9DEFF27EC5E7907BDC73D3,SHA256=A39EC7752FABC0AEF1C12B963FF334A6ED39085ED1D11621E6AEA432B9F8DE9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319373Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:36.613{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC17D428842C8E8824EF083DED4B4953,SHA256=6C112120DA89D4002A8715906C145E54401E2022CE800FB9F7F8DBC5459CDA4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319374Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:37.631{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7894267C6537993DBAE9E8FDA9EC747F,SHA256=B6E84AD760A72547471343B07285043425BCE7B308483FD94D08D5B8D9A98437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319376Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:38.644{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE0143C426DAC79D744E3577F3857EF,SHA256=8B6F0E7A3535E89750811ED68115EAE538C020417848CBE742495531016CCCB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319375Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:37.410{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52799-false10.0.1.12-8000- 23542300x8000000000000000319377Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:39.644{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC9539DEE4F0D450A49DE06BAAC5CB5,SHA256=6F196446E580F0B4C5197B7FB7C58CA9ECC41C9A0CF7B9F73A010F47BC373D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319378Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:40.675{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685B489083DFFB00F7E7ED493B30ECC3,SHA256=73E6BC947B5F917BEE0458056546A08481072CFA418AC86145C553B2CE1BC01D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319380Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:41.706{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD67D7A81501A0D7496C2D26CE9B6FF6,SHA256=BE2BA733922458788A1D89BABF3A56F848D6B6B902BF05C5831B04D917C7D850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319379Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:41.659{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1871345E6C5C80EF5BAD17C267AF8BC2,SHA256=B4FC0A940420DF09ECB9430937535DED8F3158030149A0DEDC9068D3B02DFD60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319381Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:42.725{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAB94ED5F85184D364534015B21DF60,SHA256=9D55821A24309224C15EADA5FA38847FB7F506CADDE05651401C995D5E2A1D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319383Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:43.753{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1EC26BC5C261C0624FBE02BBDE0D61,SHA256=EB54151C5846EE65455E6190454665BFAFBD17167423B7AB723EE03E57A84C2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319382Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:43.254{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52800-false10.0.1.12-8000- 10341000x8000000000000000319453Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319452Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFD873757E3) 10341000x8000000000000000319451Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319450Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319449Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319448Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319447Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319446Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.988{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2378a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c235fe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ca5e2a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c1c1e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d53d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c514b8(wow64) 154100x8000000000000000319445Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.985{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:\""$Env:TEMP\T1218.009.dll\"" /target:library /keyfile:$env:Temp\key.snk C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe $Env:TEMP\T1218.009.dll} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000319444Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.972{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-02-12 18:49:44.532 11241100x8000000000000000319443Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.972{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-02-12 18:49:44.532 23542300x8000000000000000319442Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.932{6A74A0F8-870E-6025-FA07-00000000A301}6688ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=19B096BE5F8C30B88A9194301487C102,SHA256=D49444868C47E716026915E5A9466F030E714EEC821249BE2BAAA2E8816FCFB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319441Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.863{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDC8-6026-6E2F-00000000A301}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319440Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.863{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDC8-6026-6E2F-00000000A301}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319439Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.753{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC8-6026-6E2F-00000000A301}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319438Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319437Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319436Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319435Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319434Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDC8-6026-6E2F-00000000A301}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319433Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-CDC8-6026-6B2F-00000000A301}65807572C:\Windows\system32\cmd.exe{6A74A0F8-CDC8-6026-6E2F-00000000A301}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319432Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.750{6A74A0F8-CDC8-6026-6E2F-00000000A301}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Assembly Registration UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.009.dll C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=F9962526636C4082079C16F5CBD18A21,SHA256=193D0E779528278A422C64E94D9D8AC623FCB1323038D33D2B820EAD608EF515,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-CDC8-6026-6B2F-00000000A301}6580C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"%tmp%\T1218.009.dll" /target:library C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs & C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U %tmp%\T1218.009.dll" 23542300x8000000000000000319431Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\CSCD3939E369B96433FBEC249AF5DEA228B.TMPMD5=18B162FAA3AC0C16DAE1DDC84B984748,SHA256=966C815F2DFE53592BE12696F6C7061AA9340EF4A8285360427617ADDB65D29A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000319430Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localDLL2021-02-12 18:49:44.732{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.009.dll2021-02-12 16:43:37.946 23542300x8000000000000000319429Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.009.dllMD5=09362B7F7B76CAD6ACC007ED97488DDC,SHA256=AA3F5A6BE4D7FDA0E892BEC5CE4CFF6D62CE23DF258D16A12EDBBAEAC7599BCC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalsetrue 23542300x8000000000000000319428Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES9427.tmpMD5=7A5AD81042F1254D2E7CBE1FA30CA4E3,SHA256=9E4DA5F38A2C7ECA6AFE9749202D64FEAF7618C60856A9058E385B7F588EBE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319427Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.732{6A74A0F8-CDC8-6026-6D2F-00000000A301}7592ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES9427.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319426Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.727{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC8-6026-6D2F-00000000A301}7592C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319425Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.722{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319424Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.706{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319423Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.706{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319422Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.706{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319421Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.706{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDC8-6026-6D2F-00000000A301}7592C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319420Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.706{6A74A0F8-CDC8-6026-6C2F-00000000A301}77127188C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe{6A74A0F8-CDC8-6026-6D2F-00000000A301}7592C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+11aa1(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+bcc5(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+be25(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+beb8(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+ab93(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+accc(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+a078(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+b380e|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+9fe23|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+74c1c|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+62696 154100x8000000000000000319419Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.721{6A74A0F8-CDC8-6026-6D2F-00000000A301}7592C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\2\RES9427.tmp" "c:\Users\Administrator\AppData\Local\Temp\2\CSCD3939E369B96433FBEC249AF5DEA228B.TMP"C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=C09985AE74F0882F208D75DE27770DFA,SHA256=E24570ABD130832732D0DD3EC4EFB6E3E1835064513C8B8A2B1AE0D530B04534,IMPHASH=49D51E5A9546CAB5B1356F947A3B973C{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.009.dll" /target:library C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs 10341000x8000000000000000319418Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.550{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319417Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.550{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319416Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.550{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319415Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.550{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319414Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319413Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319412Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-CDC8-6026-6B2F-00000000A301}65807572C:\Windows\system32\cmd.exe{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319411Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.549{6A74A0F8-CDC8-6026-6C2F-00000000A301}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.009.dll" /target:library C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=EB70BF071EC54BF0C29408FFDB89E3BB,SHA256=3CAAD75ADEC05EC7D8568DA01300D06EAC7189BF1C9E42B169BA539A5D469E1C,IMPHASH=30324BFA092EB7BAA283AE5E9D2911B0{6A74A0F8-CDC8-6026-6B2F-00000000A301}6580C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"%tmp%\T1218.009.dll" /target:library C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs & C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U %tmp%\T1218.009.dll" 10341000x8000000000000000319410Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC8-6026-6B2F-00000000A301}6580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319409Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC8-6026-6B2F-00000000A301}6580C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFD873757E3) 10341000x8000000000000000319408Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319407Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319406Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319405Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319404Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CDC8-6026-6B2F-00000000A301}6580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319403Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC8-6026-6B2F-00000000A301}6580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2378a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c235fe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ca5e2a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c1c1e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d53d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c514b8(wow64) 154100x8000000000000000319402Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.535{6A74A0F8-CDC8-6026-6B2F-00000000A301}6580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"%%tmp%%\T1218.009.dll" /target:library C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs & C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U %%tmp%%\T1218.009.dll" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000319401Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-02-12 18:49:44.532 11241100x8000000000000000319400Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.532{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-02-12 18:49:44.532 10341000x8000000000000000319399Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.432{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC8-6026-6A2F-00000000A301}4964C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319398Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319397Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319396Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319395Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319394Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.432{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDC8-6026-6A2F-00000000A301}4964C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319393Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.432{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC8-6026-6A2F-00000000A301}4964C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c97832ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c243f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64) 154100x8000000000000000319392Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.433{6A74A0F8-CDC8-6026-6A2F-00000000A301}4964C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\Downloads\Alby_0.7.0\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000319391Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.409{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC8-6026-692F-00000000A301}7732C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319390Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319389Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319388Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319387Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319386Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.409{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CDC8-6026-692F-00000000A301}7732C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319385Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.409{6A74A0F8-870E-6025-FA07-00000000A301}66882568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC8-6026-692F-00000000A301}7732C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c97832ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c42ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c26512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c263a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c18328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c2485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c243f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c24177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8c23e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c96d54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8be49de(wow64) 154100x8000000000000000319384Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:44.415{6A74A0F8-CDC8-6026-692F-00000000A301}7732C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\Downloads\Alby_0.7.0\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000319501Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.909{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBA41C27D9B3ACDC02979D1A899543F,SHA256=3F39F65DF7AD5A2DCE9E5733FC00B1FFDE9D4B25CC3C6909B0062A18892C9BA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319500Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.722{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319499Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.722{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319498Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.691{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319497Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.522{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8A57CEC3B5E1E556E39FF0D4B874442A,SHA256=D503A462DE69364798C3695473A8F7B7AC23736FB74B1796CCE7BEB0CA10A61C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319496Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.520{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1695110E50D2AC795FC356D98F61E7,SHA256=6FC28F0E31B0365EA42FF3254CA2DE73978AB6F78D3297E65C3EA473EA71A5FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319495Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.456{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319494Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319493Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319492Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319491Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319490Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319489Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-CDC8-6026-6F2F-00000000A301}19287404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|UNKNOWN(00007FFDC9B9331B)|UNKNOWN(00007FFDC90341A5)|UNKNOWN(00007FFDC9033E76)|UNKNOWN(00007FFDC9AE54DB)|UNKNOWN(00007FFDC8FF4A0C)|UNKNOWN(00007FFDC9052EDB)|UNKNOWN(00007FFDC9036540)|UNKNOWN(00007FFDC9036540)|UNKNOWN(00007FFDC90363D1)|UNKNOWN(00007FFDC9028356)|UNKNOWN(00007FFDC9034889)|UNKNOWN(00007FFDC9034425)|UNKNOWN(00007FFDC90341A5)|UNKNOWN(00007FFDC9033E76)|UNKNOWN(00007FFDC9AE54DB)|UNKNOWN(00007FFDC8FF4A0C)|UNKNOWN(00007FFDC9052EDB) 154100x8000000000000000319488Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.453{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.009.dllC:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:\""$Env:TEMP\T1218.009.dll\"" /target:library /keyfile:$env:Temp\key.snk C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe $Env:TEMP\T1218.009.dll} 23542300x8000000000000000319487Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-CDC9-6026-702F-00000000A301}5160ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\CSCA6F4CC9EE1164B8292B71A0F1BE6C3E.TMPMD5=18B162FAA3AC0C16DAE1DDC84B984748,SHA256=966C815F2DFE53592BE12696F6C7061AA9340EF4A8285360427617ADDB65D29A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000319486Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localDLL2021-02-12 18:49:45.432{6A74A0F8-CDC9-6026-702F-00000000A301}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.009.dll2021-02-12 16:43:37.946 23542300x8000000000000000319485Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-CDC9-6026-702F-00000000A301}5160ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.009.dllMD5=AFC8DD830E3D9E8F4B03DD3E150158D8,SHA256=E2B98B2704E546BBF4025960272B49FA066DB1E8B98CD3F7841C91746C856CEB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalsetrue 23542300x8000000000000000319484Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-CDC9-6026-702F-00000000A301}5160ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES96E7.tmpMD5=A770582062E7FB438A4732E5145A433A,SHA256=2747301DFA4D7D8657657363E724ADD04F140EF88402CF9DFEA16F816732008D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319483Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.432{6A74A0F8-CDC9-6026-712F-00000000A301}728ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES96E7.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319482Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC9-6026-712F-00000000A301}728C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319481Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319480Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319479Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319478Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CDC9-6026-712F-00000000A301}728C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319477Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319476Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-CDC9-6026-702F-00000000A301}51605664C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe{6A74A0F8-CDC9-6026-712F-00000000A301}728C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+11aa1(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+bcc5(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+be25(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+beb8(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+ab93(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+accc(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+a078(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+b380e|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+9fe23|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+74c1c|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+62696 154100x8000000000000000319475Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.419{6A74A0F8-CDC9-6026-712F-00000000A301}728C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\2\RES96E7.tmp" "c:\Users\Administrator\AppData\Local\Temp\2\CSCA6F4CC9EE1164B8292B71A0F1BE6C3E.TMP"C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=C09985AE74F0882F208D75DE27770DFA,SHA256=E24570ABD130832732D0DD3EC4EFB6E3E1835064513C8B8A2B1AE0D530B04534,IMPHASH=49D51E5A9546CAB5B1356F947A3B973C{6A74A0F8-CDC9-6026-702F-00000000A301}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /r:System.EnterpriseServices.dll /out:C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.009.dll /target:library /keyfile:C:\Users\ADMINI~1\AppData\Local\Temp\2\key.snk C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs 23542300x8000000000000000319474Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-CDC9-6026-702F-00000000A301}5160ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\1bc0d29c9a68245c8561752e0ca02144_6a74a0f8-7ee7-421e-9cdd-93fa9c2794c8MD5=534D78034B774B6266F2189576F8C6E3,SHA256=62B14867E4E79D50673D2F7474335229F54C478F56D2A910235E1953C6D29206,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000319473Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.409{6A74A0F8-CDC9-6026-702F-00000000A301}5160ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\1bc0d29c9a68245c8561752e0ca02144_6a74a0f8-7ee7-421e-9cdd-93fa9c2794c8MD5=7FCD96E4A6177867EFBA2B580421472A,SHA256=3C403CF936E40276A2D28002BD4B5D7EC3F67D49459A160292A9F00B8BAEE6DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319472Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.253{6A74A0F8-870E-6025-FB07-00000000A301}57363644C:\Windows\system32\conhost.exe{6A74A0F8-CDC9-6026-702F-00000000A301}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319471Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.232{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319470Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.232{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319469Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.232{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319468Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.232{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319467Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.232{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CDC9-6026-702F-00000000A301}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319466Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.232{6A74A0F8-CDC8-6026-6F2F-00000000A301}19287404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDC9-6026-702F-00000000A301}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|UNKNOWN(00007FFDC9B9331B)|UNKNOWN(00007FFDC90341A5)|UNKNOWN(00007FFDC9033E76)|UNKNOWN(00007FFDC9AE54DB)|UNKNOWN(00007FFDC8FF4A0C)|UNKNOWN(00007FFDC9052EDB)|UNKNOWN(00007FFDC9036540)|UNKNOWN(00007FFDC9036540)|UNKNOWN(00007FFDC90363D1)|UNKNOWN(00007FFDC9028356)|UNKNOWN(00007FFDC9034889)|UNKNOWN(00007FFDC9034425)|UNKNOWN(00007FFDC90341A5)|UNKNOWN(00007FFDC9033E76)|UNKNOWN(00007FFDC9AE54DB)|UNKNOWN(00007FFDC8FF4A0C)|UNKNOWN(00007FFDC9052EDB) 154100x8000000000000000319465Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.248{6A74A0F8-CDC9-6026-702F-00000000A301}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /r:System.EnterpriseServices.dll /out:C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.009.dll /target:library /keyfile:C:\Users\ADMINI~1\AppData\Local\Temp\2\key.snk C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.csC:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=EB70BF071EC54BF0C29408FFDB89E3BB,SHA256=3CAAD75ADEC05EC7D8568DA01300D06EAC7189BF1C9E42B169BA539A5D469E1C,IMPHASH=30324BFA092EB7BAA283AE5E9D2911B0{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:\""$Env:TEMP\T1218.009.dll\"" /target:library /keyfile:$env:Temp\key.snk C:\AtomicRedTeam\atomics\T1218.009\src\T1218.009.cs C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe $Env:TEMP\T1218.009.dll} 10341000x8000000000000000319464Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.175{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319463Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.175{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319462Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.159{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B0A41853F46B68526BA08F436A2796,SHA256=D751C24CA941ABA9F8DD9EF2EAA05A902BCC3245BDA20B80978BF9135BF63C14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319461Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.159{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083A04955B1436CEC044FE9ECB1D325B,SHA256=D7083BBAFEABDF22E67F8C40BAFA52E01FB6DECF1D446875FAECAA1F155D1791,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319460Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.132{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319459Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.132{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000319458Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-CreatePipe2021-02-12 18:49:45.113{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928\PSHost.132576293849856556.1928.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000319457Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.097{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_m0pokzfv.0eb.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319456Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.097{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_xpxpmzco.kmw.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000319455Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.081{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_xpxpmzco.kmw.ps12021-02-12 18:49:45.081 10341000x8000000000000000319454Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:45.066{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319509Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.987{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA6D7A185F564A68BB7400B237672E3,SHA256=D3B9C327AADAF1516F142E0464EF7FE5B32A6EB810835CF2AC0E9B59FC7649E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319508Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.847{6A74A0F8-CDC9-6026-722F-00000000A301}8040ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.009.tlbMD5=9C845A7202BF97B735F10F6AE2FF0FBB,SHA256=0DB8817A472B5B7C02D0A339621571D86D214B7406F1AB2A8C0DED40D9F679BB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000319507Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localT1122SetValue2021-02-12 18:49:46.832{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeHKCR\WOW6432Node\CLSID\{1F58AE05-0945-3625-8538-9E0CB19B3EC5}\InprocServer32\(Default)mscoree.dll 10341000x8000000000000000319506Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.816{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000319505Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.816{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000319504Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.800{6A74A0F8-B03D-6026-B92B-00000000A301}41083380C:\Windows\system32\dllhost.exe{6A74A0F8-CDC9-6026-722F-00000000A301}8040C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\COMSVCS.DLL+15400|C:\Windows\system32\COMSVCS.DLL+8c3e|C:\Windows\system32\COMSVCS.DLL+6b650|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 23542300x8000000000000000319503Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.784{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C2CA768E847C4D155F522C592E7CECE1,SHA256=7D70A46599D12D7753D42ACFABD9B13E2F8B8BFEB5B86E4FA5FD142A225D45EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319502Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.784{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=753294C565D18BB6F178CCDE94935B6F,SHA256=44186356CBF50ED3377A61D95E3E8F13E52B5EF2BBC0B4038C464FC0560BD542,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000319512Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:46.919{6A74A0F8-CDC9-6026-722F-00000000A301}8040WIN-DC-444010.0.1.14;C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 23542300x8000000000000000319511Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:47.097{6A74A0F8-870E-6025-FA07-00000000A301}6688ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=7F72DD2E749A1799575D9830E30ED7E6,SHA256=6A9CA60EFF61453B7DEF5559DE7F0497638EEA137B1ABA99063B586E134F9EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319510Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:47.032{6A74A0F8-CDC8-6026-6F2F-00000000A301}1928ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319517Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:48.316{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52801-false10.0.1.12-8000- 23542300x8000000000000000319516Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:48.050{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=47DBB77D3309ED3966F8CA54DE2B6C6A,SHA256=9826C213ECFDBD5E5E93D627366DABA5CF45A792068203982A69C443A4F30C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319515Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:48.032{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F849B2F22C82BFD6C40840CC9605012,SHA256=704CAF0B2951446214EF0AA16A28094622F1C4C31105E18A90C4314CAA232B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319514Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:48.031{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=083F7E15AF28D99A7AD1B66933F1C811,SHA256=1D57B680326F2326949D8165AFFA03ACA16B091AE3215DABDB92E33602CEDF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319513Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:48.022{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7235CE4ECF68E8EBFCF8FAB61A1DCA,SHA256=9E0581FA08DE50926E78D8C6D1597DE215E72B412E084E0701A8F2DF6CAACA01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319524Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:49.394{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319523Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:49.394{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FA07-00000000A301}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319522Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:49.378{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319521Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:49.378{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319520Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:49.378{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319519Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:49.378{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-870E-6025-FB07-00000000A301}5736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319518Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:49.081{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285DC8D8453A57524DB271109CA5C902,SHA256=9EC05BFEB2472CCF74720701E4542F0EBD872C0509A73BF09AA88BC5D981687E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319525Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:50.097{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A81F8C472AB57994ADC0C4D650B52E,SHA256=40CB69721F33ECB434C916F89F4AF3724AFF58E011CA0E3977883712424B3433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319526Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:51.112{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D08B637D195AEB636A6D8CF15E753A7,SHA256=9CBEE177ED9A23A22A06A55653E562F70B7F3629E393D2B7A5CD40CEAB63BC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319527Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:52.130{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E939624CE438B41CAE217F1964C7850,SHA256=4CDE981553E04C9D53D9D46B65257E218E6BA103DA4F458A11AD6C94B568031C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319529Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:53.379{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52802-false10.0.1.12-8000- 23542300x8000000000000000319528Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:53.144{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A316F8A6F862717D728172489158D47,SHA256=9669332CF938D0250C69B685F0DC6A3BEC0655FA12A32044142DCFEE1EF13792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319530Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:54.175{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA4DE9728A4E56110A537B38A7ABC05,SHA256=56DF601BB8CC2A2091DA6A09A8E97266E30337F06D0F9770DE4D8523184FDAFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319531Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:55.175{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643B14BCE1824AFC19FD206A79404ECD,SHA256=7080DC82B84BC15147DA380A05E66AA358F10E80A018CD6AD1D0D6A7E81D2788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319532Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:56.190{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E37D8D0A115E278496851F3814E004,SHA256=740E97BDBBD359206B1666C53059ED3898DEEB470F7CC7F5F273E5D9A2A031F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319533Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:57.206{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB511908097BB58C2D0C838BBB3CC84B,SHA256=710B37485F1483B9017FA87A3D6A31638FD9C56E8B88A65F99F567D131EA1C0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319535Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:58.410{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52803-false10.0.1.12-8000- 23542300x8000000000000000319534Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:58.224{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903BB56C68A65E750F7C285B6FF4EB4F,SHA256=D7698BA4397DBE8645BF51C77A4843B6B8B78026DCC64BEEFDBAB413CEBAC824,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319545Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.503{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319544Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.503{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319543Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.503{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319542Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.503{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319541Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.503{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319540Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.503{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319539Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.232{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62914D2C851DD40996F6027EDCA1BC14,SHA256=ABAB3D7188DA5DFF57ACD601CF3413D480112FAD62C8C2A473D565C4575DB6EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319538Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.206{6A74A0F8-743F-6025-3302-00000000A301}35484808C:\Windows\Explorer.EXE{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a4660|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800978D48D8)|UNKNOWN(FFFFF99A23EB4998)|UNKNOWN(FFFFF99A23EB4B17)|UNKNOWN(FFFFF99A23EAF1A1)|UNKNOWN(FFFFF99A23EB0B6A)|UNKNOWN(FFFFF99A23EAEE26)|UNKNOWN(FFFFF800975EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000319537Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.206{6A74A0F8-743F-6025-3302-00000000A301}35484808C:\Windows\Explorer.EXE{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a4141|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800978D48D8)|UNKNOWN(FFFFF99A23EB4998)|UNKNOWN(FFFFF99A23EB4B17)|UNKNOWN(FFFFF99A23EAF1A1)|UNKNOWN(FFFFF99A23EB0B6A)|UNKNOWN(FFFFF99A23EAEE26)|UNKNOWN(FFFFF800975EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319536Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:49:59.206{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF54acccb.TMPMD5=83D1AFAA8D0BB411E55056E5143B15D7,SHA256=C08B97D5CAEEEB6D77A5623B5198A7B8CFA5EFDB389F2615BBAD805E93020D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319546Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:00.253{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318A917C0C619FBD136CC493C4658475,SHA256=278BAE646F526699CC1E2B3F1461B92B2DD0C29A27F515D37DF1329D0E0FEA03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319548Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:01.956{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319547Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:01.268{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A8F609350CDF6404DA15F4D73F832B,SHA256=8555784A78BEAF711608E5FC7E67A4E145AAF312B6AA655E2F7AC4B8065E5BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319549Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:02.284{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA4852193AAC6F5A4EEB36DCD498569,SHA256=194F24BE1D468C6292C3CB5D9E1220DF57524FFF1D0B632783806DC4C3FBA1A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319551Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:03.113{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52804-false10.0.1.12-8089- 23542300x8000000000000000319550Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:03.300{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC50E33E9514DEF1E080121F07205426,SHA256=88E16F7236AA816AE44B77EFD062A5365E959B035529397268B338888E975E45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319553Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:04.285{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52805-false10.0.1.12-8000- 23542300x8000000000000000319552Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:04.378{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CE9807C92623007949BD7D6230F801,SHA256=FA8AB1AD9085A6301B7D7702BFC345E1162F4307E8381D602D2BEAA195C9560D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319554Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:05.409{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0C6B0CC2D4C72616E24904FF0FD5BA,SHA256=E5B4532961850B6513DF318F29CA35001AAE99F64BE03827DA58A62FF3A15D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319555Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:06.427{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9EE450A17A86098362001A4A834A07,SHA256=9DFA539DFEFB581BB66EF72E73C0DE2585EA736DB0C3D0BA023E43ACEB05AB82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319556Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:07.456{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63961D4EF8C974CFBA7239306A45EB6,SHA256=CF31C6C52F2AA42D5400C154FAAC19F42CB571D09416CC426D89E959B455D94F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319557Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:08.487{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3538F409D31FBCC8005746C88DCBAE,SHA256=B136A230A836751C45FF9C41F4F378E842C68A160D0CD18345B5555AC2C10925,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319559Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:09.441{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52806-false10.0.1.12-8000- 23542300x8000000000000000319558Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:09.503{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC4C0ACB8C226B222FAE4168D275823,SHA256=72AAF64376305B87827A75A654DEB1E1AE8E846412D020DB90848822D534B9D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319560Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:10.527{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAFF79408EAEC9F9E03AA06188509D9,SHA256=0BCAA7888E9A0289FFCCD915CEE0E75BF4072C0764DEB47C4AECA4915D760787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319571Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.752{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF658FF783888C04CDECDBF8910B2B18,SHA256=3D0247804155D793216E180EEEBCF44694F641F967EA8519DB186C421310D71D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319570Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.752{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F849B2F22C82BFD6C40840CC9605012,SHA256=704CAF0B2951446214EF0AA16A28094622F1C4C31105E18A90C4314CAA232B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319569Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.549{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62360C8DA90F7E89DD5D674EF7232466,SHA256=4D4F8F129FF049F6924BC7A27C1CD0BA599C4399B37347F18167EA8F6B07245C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319568Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.502{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDE3-6026-732F-00000000A301}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319567Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.502{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319566Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.502{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319565Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.502{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319564Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.502{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319563Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.502{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CDE3-6026-732F-00000000A301}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319562Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.502{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDE3-6026-732F-00000000A301}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319561Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.503{6A74A0F8-CDE3-6026-732F-00000000A301}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000319574Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.910{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52807-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x8000000000000000319573Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:11.910{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52807-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 23542300x8000000000000000319572Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:12.549{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12930900F5E0A3ACEE672ADB875FE8BF,SHA256=DA0A051F9F492C087EBE94F7BB92877ED6FE77123CDE130CF3C73C3CF5C673AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319575Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:13.581{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F47521C9B90FB22E91B5371F251857E,SHA256=8E99F679C0150E6BF5663395B203D9DE6C359F7F8955113618BA9B8DB9D059A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319592Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.909{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319591Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.909{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319590Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.909{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319589Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.909{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319588Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.909{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319587Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.909{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319586Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.909{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000319585Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.917{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" C:\users\Administrator\Downloads\netconn.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000319584Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.612{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930271350EDA0E66C7A578F52D335E07,SHA256=8BD7102598FC68749CC36AA32D9A5375D0F62C068F493C692178743E8402D29C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319583Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.332{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDE6-6026-742F-00000000A301}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319582Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319581Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319580Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319579Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.332{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319578Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.332{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CDE6-6026-742F-00000000A301}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319577Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.332{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDE6-6026-742F-00000000A301}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319576Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:14.331{6A74A0F8-CDE6-6026-742F-00000000A301}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000319616Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.909{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A93ED45D964096E3A25738F7DFF31251,SHA256=493AA5C7912B1D458C463DF17EB337A05A2E0538714F492B76D08DD4268A87F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319615Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.831{6A74A0F8-CDE7-6026-772F-00000000A301}62927800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000319614Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.316{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52808-false10.0.1.12-8000- 10341000x8000000000000000319613Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.682{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDE7-6026-772F-00000000A301}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319612Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.681{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319611Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.681{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319610Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.681{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319609Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.680{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319608Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.680{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CDE7-6026-772F-00000000A301}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319607Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.680{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDE7-6026-772F-00000000A301}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319606Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.675{6A74A0F8-CDE7-6026-772F-00000000A301}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000319605Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.643{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23382519EF91F53D73E738CCBF43CFB8,SHA256=3D9609D10639B4D258E8E17174D10CC33555C645D40DC640CDFF88912CCBA91E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319604Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.177{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319603Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.177{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319602Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.176{6A74A0F8-CDE7-6026-762F-00000000A301}69967432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319601Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.151{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319600Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.002{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDE7-6026-762F-00000000A301}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319599Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.002{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319598Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.002{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319597Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.002{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319596Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.002{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319595Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.002{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CDE7-6026-762F-00000000A301}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319594Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.002{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDE7-6026-762F-00000000A301}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319593Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:15.003{6A74A0F8-CDE7-6026-762F-00000000A301}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000319630Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.706{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E18648C1405AED27028D64F3168D6BF,SHA256=71AB61EE3EC5FD35E0564C49AB76D324D08DD7E167974C6DF6FB66E67D53055A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319629Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.502{6A74A0F8-CDE8-6026-782F-00000000A301}56085300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319628Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.346{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDE8-6026-782F-00000000A301}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319627Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.346{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319626Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.346{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319625Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.346{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319624Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.346{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319623Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.346{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CDE8-6026-782F-00000000A301}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319622Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.346{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDE8-6026-782F-00000000A301}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319621Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.347{6A74A0F8-CDE8-6026-782F-00000000A301}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000319620Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localT1122SetValue2021-02-12 18:50:16.277{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeHKCR\WOW6432Node\CLSID\{701F1B61-77A1-3F20-8968-E41B6B14B2C2}\InprocServer32\(Default)mscoree.dll 10341000x8000000000000000319619Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.276{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000319618Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.252{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000319617Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.252{6A74A0F8-B03D-6026-B92B-00000000A301}41085596C:\Windows\system32\dllhost.exe{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\COMSVCS.DLL+15400|C:\Windows\system32\COMSVCS.DLL+8c3e|C:\Windows\system32\COMSVCS.DLL+6b650|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 354300x8000000000000000319650Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.470{6A74A0F8-CDE6-6026-752F-00000000A301}6016C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-444.attackrange.local52809-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x8000000000000000319649Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.862{6A74A0F8-CDE9-6026-7A2F-00000000A301}43166264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319648Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDE9-6026-7A2F-00000000A301}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319647Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319646Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319645Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319644Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319643Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CDE9-6026-7A2F-00000000A301}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319642Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDE9-6026-7A2F-00000000A301}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319641Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.706{6A74A0F8-CDE9-6026-7A2F-00000000A301}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000319640Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.705{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98D8EF86B0EBF5883D85A90FC7121A9,SHA256=9C6495A340DBA70EAEB08ED70CC93C6DD40340DFC2E2F92F233D1F4D4CE4C431,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000319639Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:16.374{6A74A0F8-CDE6-6026-752F-00000000A301}6016WIN-DC-444010.0.1.14;C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 10341000x8000000000000000319638Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.018{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CDE9-6026-792F-00000000A301}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319637Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.018{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319636Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.018{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319635Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.018{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319634Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.018{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319633Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.018{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CDE9-6026-792F-00000000A301}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319632Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.018{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CDE9-6026-792F-00000000A301}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319631Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:17.019{6A74A0F8-CDE9-6026-792F-00000000A301}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000319652Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:18.830{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000319651Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:18.705{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00CB9B39588E8973E32D15363D2C4224,SHA256=6351E21ADCFBDB4757E2C6FCB83668B0F2F0E045CB0562CDAF161CC0F06181D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319659Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:20.020{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52810-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local445microsoft-ds 354300x8000000000000000319658Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:20.020{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52810-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local445microsoft-ds 23542300x8000000000000000319657Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:19.846{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12B77281EC5B5C21C9D498F24A87ACF8,SHA256=FD07A67BE0561C85B47E5A280A56BC976E94EEC175F8B478A2E105B79D31F247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319656Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:19.846{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF658FF783888C04CDECDBF8910B2B18,SHA256=3D0247804155D793216E180EEEBCF44694F641F967EA8519DB186C421310D71D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319655Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:19.721{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BD7DB552DAA9D83D4639587A2D2E81,SHA256=F763ED49C44D415B61BF7F146182E3F8285A75AEE3C1E693264AB4650F4BC860,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319654Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:19.502{6A74A0F8-730C-6025-1600-00000000A301}15324516C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319653Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:19.502{6A74A0F8-730C-6025-1600-00000000A301}15324516C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319660Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:20.737{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230E5D3C96E335EDAF56358EAA72774C,SHA256=386B6BA9C1392F9A6E681C8B505A98BB9FCBAC7AAB02AB739C7E8A5FB6D7420A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319662Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:21.737{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27741B388A34929A972C101D19346F78,SHA256=A02D6BE4714AEC26AC1936D02264250FC1829099B155797BB5856326BCC2741E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319661Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:20.425{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52811-false10.0.1.12-8000- 23542300x8000000000000000319663Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:22.752{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BC8340D8EBAACDB52B9F7BD45F0C0D,SHA256=013DECCD6CA9E552A03D5A7AEA5A92B3972969F61DC8DE5C271F29BAAF31E337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319664Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:23.770{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4BDF80F63DFB9178A91C42CC2F9248,SHA256=DFAB2E8C06DE6183EC05960BB4619D6AE99963D03ADA263DE3B0D2889B715722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319665Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:24.799{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28627D9DF4EB3DB2440B35C7A86115A2,SHA256=7B175F237CD319A56B9B0798498B2D8F4B2F1675D63D370078628E185A7397F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319666Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:25.830{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA0EFE39A46698F62FF2552703A122A,SHA256=433A07085FCC5D0CF319C9F5EE4E61C8F7E9DCD6E0377290B720B9B6C0B776B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319667Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:26.862{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A10D4ED851F3504736F5E85C872F9B4,SHA256=C6D7998F4A9287BB6FF169760EB2701EA6B80EB398361F90B03782B4E334FF39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319670Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:27.893{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2BD2BD4041D7568D143CAE816A8A6DC8,SHA256=0C6C9D7454DBDF96113E4BA3D37F947E99557F5E627E92811C946E680DB77202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319669Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:27.893{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70240C6D4DA0C2DEF002929F8C11206,SHA256=907AFA9409FEA6C0F17226DA616BC766100B7F49080B78C7B69A3A73DDCFA625,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319668Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:26.300{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52812-false10.0.1.12-8000- 23542300x8000000000000000319671Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:28.924{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F61EC1331F9838E1EEB067CD70DC91,SHA256=4E8A837CE70B45E6E2D81E530A375C6D2F63624A911544D975EA99AA0151F6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319672Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:29.955{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C4B21456641652E40A0E0EA8364DFA,SHA256=6E7ECEF0FFBA691E54770673D11EDF550FAB996FFD9299713B28E92737D0BC70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319677Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:30.581{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2463DA43D9B75F2E5EFEFE68A4A87907,SHA256=0C42F15EAE479AB6582BEEA2716FFDF59789F5E4F5AF32ACF21B8BC3496614A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319676Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:30.581{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12B77281EC5B5C21C9D498F24A87ACF8,SHA256=FD07A67BE0561C85B47E5A280A56BC976E94EEC175F8B478A2E105B79D31F247,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319675Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:30.455{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319674Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:30.455{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319673Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:30.455{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319678Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:31.002{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D2BE5C60624B1E1D5480FDCB7E8590,SHA256=9735BC03CDF34233AD5965FBBC35F7CC1E658C511347C9ABC843AD01C15977D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319680Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:31.363{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52813-false10.0.1.12-8000- 23542300x8000000000000000319679Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:32.033{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B462B7A341726494F199752C055264,SHA256=B1B6366F3FC9B5DA986E24AE60BC334C5FBB6B705AD265095AFFB3169B400D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319681Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:33.064{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CCDF84C366155677D847147004C403,SHA256=B64A483F100B2D9C6519EC0F7AE9794FCE65D75B5F11F321948E0B657D019E04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319690Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319689Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319688Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319687Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319686Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319685Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319684Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000319683Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.893{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" /U C:\users\Administrator\Downloads\netconn.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000319682Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:34.096{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1AACE1CB8CCB1681FBFEAC98EF0303,SHA256=8DEB452FE2E06FD61EFB144E22A3750A0FFAC1EE67BE10D242856D00C898DF08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319695Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:35.893{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8EC52F263ACC98CE157131D8C15EFC27,SHA256=D946127C59F5ABA0845833E0516430E4C0003D6BEF9A4150EECBFBD2062CAA57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319694Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:35.143{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319693Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:35.143{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319692Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:35.111{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319691Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:35.111{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99665C544C907AB0DD2BCFADF2684C3,SHA256=A61B8DBF5F96966E205673E1A79D190C8EFFB13DC9401DF9B176596DAFAE5FE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319700Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:36.221{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000319699Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:36.205{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000319698Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:36.205{6A74A0F8-B03D-6026-B92B-00000000A301}41085596C:\Windows\system32\dllhost.exe{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\COMSVCS.DLL+15400|C:\Windows\system32\COMSVCS.DLL+8c3e|C:\Windows\system32\COMSVCS.DLL+6b650|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 13241300x8000000000000000319697Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:36.205{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7016f-0xf3168750) 23542300x8000000000000000319696Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:36.127{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418F19C5261B47B180561BB99CEF80B6,SHA256=271BBBC56D780A57A05858D740E34A2F068351B587C95FF14CD9CA0A763B7ED5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319704Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:36.409{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52814-false10.0.1.12-8000- 23542300x8000000000000000319703Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:37.299{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=42E3A21BBC2EC4E44762186562E06EF2,SHA256=7603A54E66BCE0297C20C7AD42B828F891424A6B6EDF6D37F0DBE347B0F1F9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319702Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:37.205{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA5DF44BCC61B2198F1B9A9D5453E1F,SHA256=22CABE00196AE4E1BD4A19EE864104F60EDBAD1FFB6F3A71DA4269AC04D095E0,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000319701Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:36.346{6A74A0F8-CDFA-6026-7B2F-00000000A301}2108WIN-DC-444010.0.1.14;C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 23542300x8000000000000000319705Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:38.237{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C186D603C134276DFD8E9F53E318B1,SHA256=F9D2B7A85D718F3A82D84168AF87934FE827D8609725DC1F6FF919E7679F4DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319706Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:39.299{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4FA9D14929D99C2B3B0C825C9244F88,SHA256=2A76CC395109C7CE41CC0DCC08BFAD2DE3D041776A9FC9D198AF7D1AA544AFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319707Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:40.315{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456D4E2C6D725280634498241BDE95D4,SHA256=D18631BF8E51233DE44947E6DD29EAF58583EE1BDC480907F8327DBE3DD76A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319709Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:41.674{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CB600AD46912E438626B4DE3EF6B2541,SHA256=5CB29415EC602540468D71F060F1DAADD5F08E8F61937B7592E009F55D442334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319708Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:41.361{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F87D67E48EBE23D3107813C3EA149D,SHA256=B8FEC4450C75A77F4B2FBB8E980F1C68926A151E8947BC0D618FF7711663BB4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319711Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:42.269{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52815-false10.0.1.12-8000- 23542300x8000000000000000319710Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:42.379{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA38839344D47F3DAD67C2066175292,SHA256=BCDDA6FF1FDA8B004B217187951E2CF90BC3EF95D795D71277B9F2933CFC7278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319712Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:43.381{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD83E1070CCD8617C3BA04CB95354242,SHA256=E2226A1FD89F6CAF36DB9926F236657C3D3EA07110B956F5701706F9AE8E7EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319713Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:44.393{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECD467DDE2DD09918CDC0C27253026A,SHA256=2E6A71517CB79CC0452B85073F3E91099EE5DBF7858C4D5B33FF9F7998F144AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319714Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:45.408{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC3D1642F594CD0E88906A8A866BED0,SHA256=14A1E42DEDA751B15E09F9381B5CAF211E91EF5D8DC9C291785F92D7C1222953,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000319725Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000319724Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x054b8638) 13241300x8000000000000000319723Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70167-0x9758796d) 13241300x8000000000000000319722Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7016f-0xf91ce16d) 13241300x8000000000000000319721Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70178-0x5ae1496d) 13241300x8000000000000000319720Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000319719Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x054b8638) 13241300x8000000000000000319718Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70167-0x9758796d) 13241300x8000000000000000319717Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7016f-0xf91ce16d) 13241300x8000000000000000319716Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:50:46.674{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70178-0x5ae1496d) 23542300x8000000000000000319715Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:46.424{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B16C4131410471093DE5031E9CC81B2,SHA256=46D75529BF798A9CF6BF8E98B0B3615E85A09F3ADD94B5458E43D9E3677FBE8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319727Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:47.347{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52816-false10.0.1.12-8000- 23542300x8000000000000000319726Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:47.455{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02212EC12A52A81D1823CA642FCA119,SHA256=E4277F7035E4791ECB547F80B976C125C3A7DA13B43B09814F5E327755EB6121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319739Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.478{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3A86062FAA96D76E242D9CF1F1A30C,SHA256=843520505B5DB651CADFD6A017768404A348A6B0A2FAEFDA488187E721579E3C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000319738Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localT1122SetValue2021-02-12 18:50:48.361{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exeHKCR\WOW6432Node\CLSID\{701F1B61-77A1-3F20-8968-E41B6B14B2C2}\InprocServer32\(Default)mscoree.dll 10341000x8000000000000000319737Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.361{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319736Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.361{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319735Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.299{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319734Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.299{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319733Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.299{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319732Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.299{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319731Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.299{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319730Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.299{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319729Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.299{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000319728Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:48.302{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Assembly Registration UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" C:\users\Administrator\Downloads\netconn.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=F9962526636C4082079C16F5CBD18A21,SHA256=193D0E779528278A422C64E94D9D8AC623FCB1323038D33D2B820EAD608EF515,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 354300x8000000000000000319742Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:49.571{6A74A0F8-CE08-6026-7C2F-00000000A301}2776C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-444.attackrange.local52817-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000319741Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:49.502{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E711A2BBE5758207F4878EFB65DAB0,SHA256=403DA2F8024823ED6F53A399C75DFD49B09532C5705177C0D9F1809745197BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319740Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:49.330{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B44483AA09AD3D69E6B583DD7731DA84,SHA256=641BE8F9ABC52285C94463C76B2709623085B1FFD4C11C71ABB9BCE0356D8321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319798Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000319797Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000319796Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319795Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319794Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319793Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5652DD91D336B3D2A25B17DFC97B04DC,SHA256=3122516222A2A70C034F7AA5DB1DB84B3A87CEC84BEBB4C5A3C30491B181FCB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319792Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319791Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.721{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319790Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319789Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319788Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319787Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319786Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-743F-6025-3302-00000000A301}35487408C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319785Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-743F-6025-3302-00000000A301}35487408C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319784Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319783Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319782Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.705{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319781Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.681{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319780Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.681{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319779Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.681{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7D2F-00000000A301}7416C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319778Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.681{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7D2F-00000000A301}7416C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319777Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.681{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7D2F-00000000A301}7416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319776Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.681{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CE0A-6026-7D2F-00000000A301}7416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319775Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.680{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CE0A-6026-7D2F-00000000A301}7416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319774Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.680{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7D2F-00000000A301}7416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319773Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.658{6A74A0F8-743E-6025-2802-00000000A301}36927104C:\Windows\System32\RuntimeBroker.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000319772Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.658{6A74A0F8-743E-6025-2802-00000000A301}36927104C:\Windows\System32\RuntimeBroker.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000319771Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.658{6A74A0F8-743F-6025-3302-00000000A301}35487408C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319770Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.658{6A74A0F8-743F-6025-3302-00000000A301}35487408C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319769Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743E-6025-2802-00000000A301}36927104C:\Windows\System32\RuntimeBroker.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000319768Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743E-6025-2802-00000000A301}36927104C:\Windows\System32\RuntimeBroker.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000319767Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000319766Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319765Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000319764Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319763Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319762Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0D00-00000000A301}9885324C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319761Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0D00-00000000A301}9885324C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319760Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0D00-00000000A301}9885324C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319759Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0D00-00000000A301}9885324C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319758Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0D00-00000000A301}9885324C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319757Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0D00-00000000A301}9885324C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319756Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0C00-00000000A301}6081076C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319755Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0C00-00000000A301}6081076C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319754Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0C00-00000000A301}6081076C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319753Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000319752Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000319751Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000319750Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319749Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.627{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319748Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.611{6A74A0F8-743F-6025-3302-00000000A301}35486928C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319747Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.611{6A74A0F8-743F-6025-3302-00000000A301}35486928C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319746Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.611{6A74A0F8-730C-6025-0C00-00000000A301}6081076C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319745Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.611{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319744Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.611{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319743Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:50.518{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F786511F5EA5743E2B59F3A0CD17A8,SHA256=B310CB9BAD1B26EC13D63AD6AE938737C862A8228CA9EF390C34AA8E91232E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319817Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.878{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E360BA917814979B252AF7AEBBFF49ED,SHA256=10D62F2AB5B19451CD5E8629585ADF97EE16B78BD72A023B76EA01D5A2E3BDFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319816Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.221{6A74A0F8-743E-6025-2802-00000000A301}36927896C:\Windows\System32\RuntimeBroker.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000319815Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.221{6A74A0F8-743E-6025-2802-00000000A301}36927896C:\Windows\System32\RuntimeBroker.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000319814Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.205{6A74A0F8-743F-6025-3302-00000000A301}35486928C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319813Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.205{6A74A0F8-743F-6025-3302-00000000A301}35486928C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319812Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.205{6A74A0F8-743E-6025-2802-00000000A301}36927104C:\Windows\System32\RuntimeBroker.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000319811Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.205{6A74A0F8-743E-6025-2802-00000000A301}36927104C:\Windows\System32\RuntimeBroker.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000319810Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.205{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000319809Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.205{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000319808Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.205{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319807Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.205{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319806Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.205{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319805Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.205{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319804Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.205{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319803Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.205{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319802Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.205{6A74A0F8-743F-6025-3302-00000000A301}35486928C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319801Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.205{6A74A0F8-743F-6025-3302-00000000A301}35486928C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319800Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.181{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319799Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:51.181{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319833Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.881{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B1EC703E07EFAC4BB5AB46039289E1,SHA256=DB81A8415ACEF313B9122189F1E34A5342D91A4299646C5D6845387D670F5D93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319832Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.425{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52818-false10.0.1.12-8000- 10341000x8000000000000000319831Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.361{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000319830Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.361{6A74A0F8-743F-6025-3302-00000000A301}35485784C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000319829Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.361{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319828Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.361{6A74A0F8-743F-6025-3302-00000000A301}35488020C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319827Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.361{6A74A0F8-743F-6025-3302-00000000A301}35488020C:\Windows\Explorer.EXE{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319826Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.361{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319825Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.346{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319824Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.346{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319823Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.346{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319822Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.346{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319821Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.346{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319820Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.346{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319819Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.346{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000319818Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:52.236{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BCF1690598664637F1E5F8C15668308E,SHA256=11E4F772FAF7DDFDEBB1D679A32DDC4140C290A1AD4F51A52E9144A65E9F2BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319834Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:53.892{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC0A7B4C620C85BA727950CF19DFB10,SHA256=8D4962C274EA63809E7F49CED6E4013B9E385861B853F8EEC8173CEE8122950D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319835Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:54.892{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C0D6B68AB409755188DCB8C6AB2E63,SHA256=55FBE47BEEFDDADA752ACC6F885EEE07B7D9B03D188C823CF61C623B4E993D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319836Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:55.924{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BDDC53E1675DB569498C3926BBF621,SHA256=4730D0F6D363D4E87F1A682EA8ACE48FB970C461C51A98ED92C696C9DEF6FFF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319837Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:56.939{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62D79F3053C9CAF905B5ECEBE2EAF9A,SHA256=A7940C2CCBF1BC66EF534F7E4C1778F7CCA9C0EC30417B5380A2ACCFD49456AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319847Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:57.955{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D20BBDBCFAD2359C6DA5C2BB0395F4,SHA256=40C690CF59EEFC89859A360B010AA54703B0479ECB4E7D281A85AE9EE20F3CE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319846Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:57.845{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000319845Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:57.845{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000319844Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:57.845{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000319843Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:57.845{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000319842Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:57.845{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000319841Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:57.845{6A74A0F8-743E-6025-2902-00000000A301}39648028C:\Windows\system32\sihost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319840Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:57.658{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000319839Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:57.658{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000319838Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:57.658{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x8000000000000000319849Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:58.975{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A690A40873AE4EFC8DC9C6D4E367A6D,SHA256=A69B14B7D7C9BBE0FA8BCF0CBB42FBC7BAE2448DAD6D005E7346FB77276B9989,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319848Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:58.237{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52819-false10.0.1.12-8000- 10341000x8000000000000000319859Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:59.127{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CE13-6026-7F2F-00000000A301}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319858Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:59.127{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CE13-6026-7F2F-00000000A301}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319857Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:59.081{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CE13-6026-7F2F-00000000A301}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319856Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:59.081{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319855Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:59.081{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319854Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:59.081{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319853Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:59.081{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319852Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:59.081{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CE13-6026-7F2F-00000000A301}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319851Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:59.081{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CE13-6026-7F2F-00000000A301}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000319850Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:50:59.082{6A74A0F8-CE13-6026-7F2F-00000000A301}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Assembly Registration UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /U C:\users\Administrator\Downloads\netconn.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=F9962526636C4082079C16F5CBD18A21,SHA256=193D0E779528278A422C64E94D9D8AC623FCB1323038D33D2B820EAD608EF515,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000319861Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:00.095{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FCC87323CAFC3F2A3C5E3EDFA31A37AA,SHA256=A132D7C4E6A1982B8BCD852038CEE6AA3A89AD37F1BDA9C721BCF320DEF7A8D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319860Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:00.002{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE55700F09EBAB2288AE44CBCCC56908,SHA256=836E803297A45918C4A8F3BA66C6D19E7C93A4BD91A4F6868185EFB8115CBDFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319863Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:01.049{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB5AE1BBDD99BF9963EED3A6B625001,SHA256=7C49DB99CE1D9AF2E6C214E6EFED0320A6CFB41B34A67A79A464E72AD7882C76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319862Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:00.342{6A74A0F8-CE13-6026-7F2F-00000000A301}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-444.attackrange.local52820-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000319865Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:02.064{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F885AC90D0547F3F8AF1B7222B536939,SHA256=1524CB482E9B90EBBCEE4BCFD33D7CACAA6F98184939A7CFE1961BE67CF5FDCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319864Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:02.002{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319866Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:03.081{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=112D6C0F6A49EC29B2427E48710F2C1A,SHA256=D90A341FA67284237FCC1ADE2C5A83191FC08F0D1CCB7003ABBA3DF0825B71AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319871Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:04.861{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000319870Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:04.455{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2DC0718066713C498D70E525A2B573B9,SHA256=82EAB94D5D8BDD9C2C7637B0817117BB343246E307A9CFC892C30DD0601DEFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319869Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:04.127{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5606A9D4CA9D6119D86D663DB128ABC5,SHA256=625B4899F774B035E99E3B6FDFE81FED918B3B7F9C9860929C521A7303DFBAC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319868Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:03.284{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52822-false10.0.1.12-8000- 354300x8000000000000000319867Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:03.159{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52821-false10.0.1.12-8089- 354300x8000000000000000319878Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:05.951{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-444.attackrange.local52824-false10.0.1.14win-dc-444.attackrange.local389ldap 354300x8000000000000000319877Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:05.951{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52824-false10.0.1.14win-dc-444.attackrange.local389ldap 354300x8000000000000000319876Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:05.943{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52823-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 354300x8000000000000000319875Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:05.943{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52823-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 23542300x8000000000000000319874Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:05.777{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CDDC0E3F2A63957998CA7AAB7C6B51E,SHA256=76C3D743A5942F86BB97EF68F4401050F4A6452A29439BBEF06B52080B918127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319873Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:05.776{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2463DA43D9B75F2E5EFEFE68A4A87907,SHA256=0C42F15EAE479AB6582BEEA2716FFDF59789F5E4F5AF32ACF21B8BC3496614A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319872Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:05.142{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD35BB01DAE5374BCEC97D260956075,SHA256=AA48E18E809B6AECA43ADB753DFA42EA2C185EB485BB63782867811EA69CB9C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319881Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:06.053{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52825-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local445microsoft-ds 354300x8000000000000000319880Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:06.053{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52825-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local445microsoft-ds 23542300x8000000000000000319879Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:06.158{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD9A2DC0F9A747FEBE12B40CF5FE0C4,SHA256=1FB120857E58EB08FB2764234E1407F85C2CF53C4E818C6D00D220E77469C001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319882Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:07.176{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD875F26E2ADD0B986F7064C4050C91,SHA256=FB700ADC52181A4366509CF64CEC1EDF8AE2B409D066A4216009D48C8C3C6DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319883Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:08.205{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0E47DF2CEDB4ED1A751A972D5E362C,SHA256=93ED86CFB2741724A1D2C9465242FBE47F2FC31E3BB3F8AA4B20161D87406CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319885Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:09.205{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29165E4EED2E99636956C63A1EAE9EDA,SHA256=681F1B249FEB3E9057FE662A8B266ACEF50207F5CB3AF7927FFC83CB212739DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319884Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:08.393{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52826-false10.0.1.12-8000- 23542300x8000000000000000319886Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:10.236{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4E83FEA5094BDE6E8E08EB76195BFD,SHA256=B51BF767D4F7015BD15A7DF72445D8BC2878ECC8C29181249BB2A57BC918440D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319897Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:11.772{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAA14B93E2668D4EA32EC661E26D6E21,SHA256=4032402B4A57942E0FA732A26618A5952E19D4B806F24A9508172933988EE651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319896Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:11.771{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CDDC0E3F2A63957998CA7AAB7C6B51E,SHA256=76C3D743A5942F86BB97EF68F4401050F4A6452A29439BBEF06B52080B918127,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319895Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:11.501{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE1F-6026-802F-00000000A301}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319894Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:11.501{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319893Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:11.501{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319892Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:11.501{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319891Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:11.501{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319890Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:11.501{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CE1F-6026-802F-00000000A301}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319889Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:11.501{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE1F-6026-802F-00000000A301}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319888Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:11.502{6A74A0F8-CE1F-6026-802F-00000000A301}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000319887Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:11.269{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E66738062F35053B18C3C02924D1298,SHA256=4AC85838523938426357D77DFD8338F0CAC88BB55EDFFCE96363F4419DB56BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319900Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:12.298{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21DF7B4D84CE711F2FCF28AEA1177F04,SHA256=DBC659299FE1A3B565C3DD8CFB156ED4B0AE6D153AAE1DE0286C676FCCD5425B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319899Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:11.925{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52827-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x8000000000000000319898Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:11.925{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52827-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 23542300x8000000000000000319901Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:13.329{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8E167458A6E9053534E086F38E76F4,SHA256=470BFA1F583F2931CEB88ADE7AAA68CABE5ABB5F45574D4B1D2DABB403A2D3BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319918Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.845{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE22-6026-822F-00000000A301}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319917Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.845{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319916Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.845{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319915Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.845{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319914Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.845{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319913Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.845{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CE22-6026-822F-00000000A301}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319912Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.845{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE22-6026-822F-00000000A301}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319911Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.846{6A74A0F8-CE22-6026-822F-00000000A301}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000319910Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.329{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE22-6026-812F-00000000A301}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319909Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.329{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319908Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.329{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319907Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.329{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319906Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.329{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319905Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.329{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CE22-6026-812F-00000000A301}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319904Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.329{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE22-6026-812F-00000000A301}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319903Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.330{6A74A0F8-CE22-6026-812F-00000000A301}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000319902Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.329{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6468620776933C571CC08EF3226D970F,SHA256=D9D3C8BF97C68CF95456163613A50E7D2BECF98A8B314EFBC3A6D06A88E8F4CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319930Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:15.676{6A74A0F8-CE23-6026-832F-00000000A301}21725992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319929Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:15.481{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE23-6026-832F-00000000A301}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319928Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:15.481{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319927Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:15.481{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319926Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:15.481{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319925Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:15.481{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319924Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:15.481{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CE23-6026-832F-00000000A301}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319923Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:15.481{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE23-6026-832F-00000000A301}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319922Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:15.478{6A74A0F8-CE23-6026-832F-00000000A301}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000319921Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:15.361{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE0F3F41C643CBC8ADC099EB5816F36,SHA256=EF6DE23C84B9AF8F2DD07FDB4091C760A1BD4A7EC022FE53666F58C0EE30326C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000319920Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:14.253{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52828-false10.0.1.12-8000- 10341000x8000000000000000319919Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:15.017{6A74A0F8-CE22-6026-822F-00000000A301}70765116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319950Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.829{6A74A0F8-CE24-6026-852F-00000000A301}62125300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319949Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.681{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE24-6026-852F-00000000A301}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319948Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.680{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319947Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.680{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319946Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.680{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319945Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.679{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319944Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.679{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CE24-6026-852F-00000000A301}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319943Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.679{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE24-6026-852F-00000000A301}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319942Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.674{6A74A0F8-CE24-6026-852F-00000000A301}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000319941Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.658{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAA14B93E2668D4EA32EC661E26D6E21,SHA256=4032402B4A57942E0FA732A26618A5952E19D4B806F24A9508172933988EE651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319940Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.381{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC7CA80BD340E75064519B65281B5D4,SHA256=C52E430616643FE1B3EDC49462C2EB6F83BCE6EC0ACC868EAB6E7B6BABCB47AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319939Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.314{6A74A0F8-CE24-6026-842F-00000000A301}56767072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319938Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.158{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE24-6026-842F-00000000A301}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319937Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.158{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319936Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.158{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319935Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.158{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319934Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.158{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319933Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.158{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CE24-6026-842F-00000000A301}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319932Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.158{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE24-6026-842F-00000000A301}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319931Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:16.158{6A74A0F8-CE24-6026-842F-00000000A301}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320013Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.823{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320012Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.823{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320011Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.823{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320010Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.823{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320009Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.823{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320008Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.823{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320007Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.823{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320006Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.823{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320005Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.823{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320004Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.823{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320003Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.823{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320002Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.823{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320001Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.823{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320000Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.801{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FC62F091709E0336FC2604ECC4D502,SHA256=5545935BB6A1803B31E31406DD3E5A36DB47F7C9E57F90DF1B6D390A221BB0A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319999Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.626{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319998Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.626{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319997Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.611{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319996Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.611{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319995Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.611{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319994Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.611{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319993Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.611{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319992Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.595{6A74A0F8-CE25-6026-882F-00000000A301}60124296C:\Windows\SysWOW64\calc.exe{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\System32\windows.storage.dll+1240e6(wow64)|C:\Windows\System32\windows.storage.dll+123da1(wow64)|C:\Windows\System32\windows.storage.dll+123e73(wow64)|C:\Windows\System32\windows.storage.dll+124b45(wow64)|C:\Windows\System32\windows.storage.dll+1239f1(wow64)|C:\Windows\System32\windows.storage.dll+125d40(wow64)|C:\Windows\System32\windows.storage.dll+125fbc(wow64)|C:\Windows\System32\windows.storage.dll+1258a5(wow64)|C:\Windows\System32\windows.storage.dll+102d28(wow64)|C:\Windows\System32\windows.storage.dll+102b67(wow64)|C:\Windows\System32\windows.storage.dll+102bc8(wow64)|C:\Windows\System32\SHELL32.dll+1aa3b1(wow64) 154100x8000000000000000319991Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.610{6A74A0F8-CE25-6026-8A2F-00000000A301}984C:\Windows\SysWOW64\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=A20DCDBED017776C8B3D01A511A8DC46,SHA256=84173F0B3176F68428A88A6870AF6236F28FAEE117074FB36A0BCCCFB55EB301,IMPHASH=C261A11FB3872511CF73DBF1A1E04631{6A74A0F8-CE25-6026-882F-00000000A301}6012C:\Windows\SysWOW64\calc.execalc.exe 10341000x8000000000000000319990Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.595{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-CE25-6026-882F-00000000A301}6012C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319989Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.595{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-CE25-6026-882F-00000000A301}6012C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319988Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.564{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-CE25-6026-882F-00000000A301}6012C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319987Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.564{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CE25-6026-882F-00000000A301}6012C:\Windows\SysWOW64\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319986Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.564{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CE25-6026-882F-00000000A301}6012C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319985Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.517{6A74A0F8-CE25-6026-892F-00000000A301}27365520C:\Windows\system32\svchost.exe{6A74A0F8-CE25-6026-882F-00000000A301}6012C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319984Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.501{6A74A0F8-730A-6025-0A00-00000000A301}8487528C:\Windows\system32\services.exe{6A74A0F8-CE25-6026-892F-00000000A301}2736C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319983Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.501{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-CE25-6026-892F-00000000A301}2736C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319982Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.480{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CE25-6026-892F-00000000A301}2736C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319981Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.480{6A74A0F8-730A-6025-0A00-00000000A301}8482928C:\Windows\system32\services.exe{6A74A0F8-CE25-6026-892F-00000000A301}2736C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319980Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.480{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-730A-6025-0A00-00000000A301}848C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319979Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.480{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319978Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.480{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319977Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.480{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-730A-6025-0A00-00000000A301}848C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319976Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.454{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319975Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.454{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319974Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.454{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319973Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.454{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CE25-6026-882F-00000000A301}6012C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319972Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.454{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319971Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.454{6A74A0F8-CE25-6026-872F-00000000A301}53761720C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe{6A74A0F8-CE25-6026-882F-00000000A301}6012C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+159f0b(wow64)|C:\Windows\System32\KERNELBASE.dll+159bbc(wow64)|C:\Windows\System32\KERNEL32.dll+5f80d(wow64)|UNKNOWN(0000000004A70099) 154100x8000000000000000319970Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.468{6A74A0F8-CE25-6026-882F-00000000A301}6012C:\Windows\SysWOW64\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEcalc.exeC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=E5F11087E724759F5A52667D22485DF5,SHA256=3F2400274E4AE8B9B6B622A0571BBD96C293A708925549495A2FF1672964E949,IMPHASH=200BD8706C36BF07F7EF1B236749FD70{6A74A0F8-CE25-6026-872F-00000000A301}5376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /U C:\users\Administrator\Downloads\regsvcs.dll 10341000x8000000000000000319969Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.439{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CE25-6026-872F-00000000A301}5376C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319968Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.439{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CE25-6026-872F-00000000A301}5376C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319967Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.392{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CE25-6026-872F-00000000A301}5376C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319966Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.392{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319965Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.392{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319964Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.392{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319963Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.392{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319962Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.392{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CE25-6026-872F-00000000A301}5376C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319961Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.392{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CE25-6026-872F-00000000A301}5376C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000319960Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.401{6A74A0F8-CE25-6026-872F-00000000A301}5376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Assembly Registration UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /U C:\users\Administrator\Downloads\regsvcs.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=F9962526636C4082079C16F5CBD18A21,SHA256=193D0E779528278A422C64E94D9D8AC623FCB1323038D33D2B820EAD608EF515,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000319959Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.392{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30CC28191F7C5B350B9C65A015ECDB4,SHA256=037974BC676895F9C9B5293662AD01817BA5704130437754B515CABDA98BD882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000319958Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.345{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE25-6026-862F-00000000A301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319957Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.345{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319956Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.345{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319955Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.345{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319954Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.345{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319953Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.345{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CE25-6026-862F-00000000A301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319952Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.345{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE25-6026-862F-00000000A301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319951Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:17.346{6A74A0F8-CE25-6026-862F-00000000A301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320019Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:18.548{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E0FFE7BCC62A405D298FD32CDE0DDA5F,SHA256=347045AE97A571A0D8BF4581DFD07497A0C9EDE01DB0BFF7080B0DACDC874140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320018Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:18.548{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=762CDA7895CC18237B5A258811AF718F,SHA256=696B1911C9810DA1741B7CF7399F31FEC4FA93FC05ADB44EDFD604F69CB4506E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320017Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:18.548{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C2CA768E847C4D155F522C592E7CECE1,SHA256=7D70A46599D12D7753D42ACFABD9B13E2F8B8BFEB5B86E4FA5FD142A225D45EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320016Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:18.392{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=87A81CD23B75C619955D58DC3E526869,SHA256=2979413259E8928B5CD570EEC098C4061CCF9C8F04FA92BDD7969F2391016A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320015Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:18.392{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41C45260CF5B88FE17240F8F5575321,SHA256=6FC65CF88CC81587E26BA908A283406957F1A2CEB465BB8C1FFFF5538F349DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320014Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:18.392{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=26EC535985179A1E50E2C657205DA5E9,SHA256=67AA9D2604A93583D54BBA6280DBF493D8E2AF7831627193FBC3AC0D34ECDA34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320020Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:19.423{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BFEB3C071207BA30A5DABF9B37F5C0,SHA256=161E56F6223DADD0172E161E4827FF8C664F5401413A7EEC8803098CEFEC8D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320028Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:20.454{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6090D8B4D0634011035616BB10F04D,SHA256=DE7A2C08C7D7D43253F29B9DB749E1DC182DC74AD38C5DE1F284C98FFA02EE22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320027Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:20.236{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320026Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:20.236{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320025Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:20.220{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000320024Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:19.331{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52829-false10.0.1.12-8000- 10341000x8000000000000000320023Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:20.220{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320022Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:20.220{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320021Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:20.220{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320029Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:21.454{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4655395E2B625CDAA7414CAEB4AADA35,SHA256=917CBD4D9938BEE3BE3D38338BF67279462D6876A997997B70D6EC33E16094AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320030Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:22.472{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7137F37D7E3C65B80917B82693E54B5,SHA256=0EF2837A158C74C88A343FBA775D82DCCCD36DEC923E39C8D150E89BA4790ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320031Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:23.501{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A837D877C310500F67E5A6400C643680,SHA256=9376DB931ED8DA573B93A1B03CB86C61947C59AECA3022ED496572A7F0F82339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320033Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:24.580{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0958BDAEA5DF125F1B1B5F9F9769ADF,SHA256=E1C3E44DE8F66D60303A107F62E7F2505B730F46981BA3D256A2FFECF3E68B4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320032Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:24.393{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52830-false10.0.1.12-8000- 23542300x8000000000000000320034Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:25.626{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99CB6F931FFCEC4C94EC18CE530ABEFA,SHA256=A903B0FAD2E19A794AD2FA47560C295EDBE2C7923780FD11313F54A28F054A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320035Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:26.657{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5973B955A4D5C020F4FFE00ECA12573,SHA256=DF28F605F70B6FBDEA9102CF4E1B83DAE067DC64B7A18250561BEFB71DA50079,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320081Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.878{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320080Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.878{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320079Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.877{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320078Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.876{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320077Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.876{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320076Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.872{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320075Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.871{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320074Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.871{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320073Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.871{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320072Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.871{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320071Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.870{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320070Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.870{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320069Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.870{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320068Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.657{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320067Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.657{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320066Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.642{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320065Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.642{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320064Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.642{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320063Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.642{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320062Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.642{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320061Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.642{6A74A0F8-CE2F-6026-8C2F-00000000A301}78645700C:\Windows\SysWOW64\calc.exe{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\System32\windows.storage.dll+1240e6(wow64)|C:\Windows\System32\windows.storage.dll+123da1(wow64)|C:\Windows\System32\windows.storage.dll+123e73(wow64)|C:\Windows\System32\windows.storage.dll+124b45(wow64)|C:\Windows\System32\windows.storage.dll+1239f1(wow64)|C:\Windows\System32\windows.storage.dll+125d40(wow64)|C:\Windows\System32\windows.storage.dll+125fbc(wow64)|C:\Windows\System32\windows.storage.dll+1258a5(wow64)|C:\Windows\System32\windows.storage.dll+102d28(wow64)|C:\Windows\System32\windows.storage.dll+102b67(wow64)|C:\Windows\System32\windows.storage.dll+102bc8(wow64)|C:\Windows\System32\SHELL32.dll+1aa3b1(wow64) 154100x8000000000000000320060Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.643{6A74A0F8-CE2F-6026-8D2F-00000000A301}2548C:\Windows\SysWOW64\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=A20DCDBED017776C8B3D01A511A8DC46,SHA256=84173F0B3176F68428A88A6870AF6236F28FAEE117074FB36A0BCCCFB55EB301,IMPHASH=C261A11FB3872511CF73DBF1A1E04631{6A74A0F8-CE2F-6026-8C2F-00000000A301}7864C:\Windows\SysWOW64\calc.execalc.exe 10341000x8000000000000000320059Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.626{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CE2F-6026-8C2F-00000000A301}7864C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320058Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.626{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CE2F-6026-8C2F-00000000A301}7864C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320057Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.595{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-CE2F-6026-8C2F-00000000A301}7864C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320056Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.595{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CE2F-6026-8C2F-00000000A301}7864C:\Windows\SysWOW64\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320055Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.595{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CE2F-6026-8C2F-00000000A301}7864C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320054Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.580{6A74A0F8-CE25-6026-892F-00000000A301}27365520C:\Windows\system32\svchost.exe{6A74A0F8-CE2F-6026-8C2F-00000000A301}7864C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320053Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.548{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320052Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.548{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320051Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.548{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320050Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.548{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CE2F-6026-8C2F-00000000A301}7864C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320049Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.548{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320048Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.548{6A74A0F8-CE2F-6026-8B2F-00000000A301}48567044C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe{6A74A0F8-CE2F-6026-8C2F-00000000A301}7864C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+159f0b(wow64)|C:\Windows\System32\KERNELBASE.dll+159bbc(wow64)|C:\Windows\System32\KERNEL32.dll+5f80d(wow64)|UNKNOWN(00000000051A0099) 154100x8000000000000000320047Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.561{6A74A0F8-CE2F-6026-8C2F-00000000A301}7864C:\Windows\SysWOW64\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEcalc.exeC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=E5F11087E724759F5A52667D22485DF5,SHA256=3F2400274E4AE8B9B6B622A0571BBD96C293A708925549495A2FF1672964E949,IMPHASH=200BD8706C36BF07F7EF1B236749FD70{6A74A0F8-CE2F-6026-8B2F-00000000A301}4856C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" C:\users\Administrator\Downloads\regsvcs.dll 13241300x8000000000000000320046Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localT1122SetValue2021-02-12 18:51:27.548{6A74A0F8-CE2F-6026-8B2F-00000000A301}4856C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exeHKCR\WOW6432Node\CLSID\{57DA77F3-27D4-3F92-9153-53374796FDFE}\InprocServer32\(Default)mscoree.dll 10341000x8000000000000000320045Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.532{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-CE2F-6026-8B2F-00000000A301}4856C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320044Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.532{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-CE2F-6026-8B2F-00000000A301}4856C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320043Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.480{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CE2F-6026-8B2F-00000000A301}4856C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320042Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.480{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320041Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.480{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320040Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.480{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320039Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.480{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320038Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.480{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CE2F-6026-8B2F-00000000A301}4856C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320037Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.480{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CE2F-6026-8B2F-00000000A301}4856C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000320036Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:27.493{6A74A0F8-CE2F-6026-8B2F-00000000A301}4856C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Assembly Registration UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" C:\users\Administrator\Downloads\regsvcs.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=F9962526636C4082079C16F5CBD18A21,SHA256=193D0E779528278A422C64E94D9D8AC623FCB1323038D33D2B820EAD608EF515,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000320084Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:28.880{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1957496C3C0413CB97DA7E4B8959ABBE,SHA256=043A1064B30CEBC71AC220BB5D0DA5566DADE8C78A821A5386387B152C7C6441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320083Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:28.501{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=205FDEC600AC43E6D5F102F999804578,SHA256=B68BDE25618B860C7345F60E8715C1B3E878945F833B35CBC7F405D2C9EA39DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320082Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:28.095{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F943102CBFEFA529D43AC740AE63021B,SHA256=8957507AC9D85300C051F89A39985523064091344B543E3F9D483F7637170872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320091Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:29.892{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD3E02AE92A6E2CAFE03BBC4593E068,SHA256=99D3AD9D79C311C40BAF80BE0B66030D21D2240275E6C50D33D4C4DFA18A6602,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320090Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:29.829{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320089Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:29.829{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320088Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:29.829{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320087Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:29.829{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320086Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:29.829{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320085Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:29.829{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320093Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:30.907{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A778C9FC3E0DBF4692312EAA7D56E52E,SHA256=C9432D4B7B2CB243695D4CA41684D661866EF65883AA48509215F181D2E88A8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320092Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:30.268{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52831-false10.0.1.12-8000- 23542300x8000000000000000320094Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:31.954{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87720622FEC1046B450D1945D8A10142,SHA256=D30B11C7150D3133BD6B62C19ABFC2B3CD6932C71B0E02262B2693974933956F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320095Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:32.972{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09618AA74F5A1B813DE3B09BC7E0FA39,SHA256=A1C517F4F043A7EC3E53B324F735679A1A228648B405AD009100343AC7317EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320096Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:34.001{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40C513818DFEA99127A1C810CE607CE,SHA256=810009684BE79DA3EAD794FD2E257BEEA673C9D5D609AB4FA944F15AF3F12A92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320098Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:35.393{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52832-false10.0.1.12-8000- 23542300x8000000000000000320097Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:35.016{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD779AD87ACBCC812CBB2DAE781B3D0,SHA256=635EC37FCAB3AA4443C57F8DC858EFFCD61A8DEAEB811284BE78989B50201F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320099Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:36.032{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C830EB8F14854C8FC4C190E3E07600,SHA256=5ED0E2E56A6947D2E1B333422A5B55F1AC195841BB74883EE0092D720ECAB196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320100Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:37.048{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44F789C3695578FF330179D0D5AC088,SHA256=ABFBC8227A3F886B168DD1C793046A467F787A50A4F3553332855C7D0D395827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320101Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:38.063{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F8BF6614E41659685F277C87EF5E1A,SHA256=79E0B9D36933EE645397A575928209140E2C11DE2813F57C81E1E0AB3142814C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320113Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:39.766{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CE3B-6026-8E2F-00000000A301}3844C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320112Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:39.751{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CE3B-6026-8E2F-00000000A301}3844C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320111Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:39.735{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-CE3B-6026-8E2F-00000000A301}3844C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320110Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:39.501{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CE3B-6026-8E2F-00000000A301}3844C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320109Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:39.501{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320108Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:39.501{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320107Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:39.501{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320106Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:39.501{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320105Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:39.501{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CE3B-6026-8E2F-00000000A301}3844C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320104Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:39.480{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CE3B-6026-8E2F-00000000A301}3844C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000320103Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:39.500{6A74A0F8-CE3B-6026-8E2F-00000000A301}3844C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" C:\users\Administrator\Downloads\regsvcs.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000320102Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:39.080{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD035C2DB6EBFACD8C2FC4701944D7B7,SHA256=3777D981EC857895372F3E9AD18B842B2C19FA4583EADF27412E5190786575AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320169Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.980{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320168Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.980{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320167Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.954{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320166Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.954{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320165Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.954{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320164Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.954{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320163Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.954{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320162Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.954{6A74A0F8-CE3C-6026-8F2F-00000000A301}41921540C:\Windows\SysWOW64\calc.exe{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\System32\windows.storage.dll+1240e6(wow64)|C:\Windows\System32\windows.storage.dll+123da1(wow64)|C:\Windows\System32\windows.storage.dll+123e73(wow64)|C:\Windows\System32\windows.storage.dll+124b45(wow64)|C:\Windows\System32\windows.storage.dll+1239f1(wow64)|C:\Windows\System32\windows.storage.dll+125d40(wow64)|C:\Windows\System32\windows.storage.dll+125fbc(wow64)|C:\Windows\System32\windows.storage.dll+1258a5(wow64)|C:\Windows\System32\windows.storage.dll+102d28(wow64)|C:\Windows\System32\windows.storage.dll+102b67(wow64)|C:\Windows\System32\windows.storage.dll+102bc8(wow64)|C:\Windows\System32\SHELL32.dll+1aa3b1(wow64) 154100x8000000000000000320161Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.957{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=A20DCDBED017776C8B3D01A511A8DC46,SHA256=84173F0B3176F68428A88A6870AF6236F28FAEE117074FB36A0BCCCFB55EB301,IMPHASH=C261A11FB3872511CF73DBF1A1E04631{6A74A0F8-CE3C-6026-8F2F-00000000A301}4192C:\Windows\SysWOW64\calc.execalc.exe 10341000x8000000000000000320160Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.938{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CE3C-6026-8F2F-00000000A301}4192C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320159Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.938{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CE3C-6026-8F2F-00000000A301}4192C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320158Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.907{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-CE3C-6026-8F2F-00000000A301}4192C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320157Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.907{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CE3C-6026-8F2F-00000000A301}4192C:\Windows\SysWOW64\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320156Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.907{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CE3C-6026-8F2F-00000000A301}4192C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320155Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.891{6A74A0F8-CE25-6026-892F-00000000A301}27365520C:\Windows\system32\svchost.exe{6A74A0F8-CE3C-6026-8F2F-00000000A301}4192C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320154Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.860{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320153Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.860{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320152Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.860{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320151Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.860{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CE3C-6026-8F2F-00000000A301}4192C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320150Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.860{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320149Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.860{6A74A0F8-CE3B-6026-8E2F-00000000A301}38447776C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe{6A74A0F8-CE3C-6026-8F2F-00000000A301}4192C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+159f0b(wow64)|C:\Windows\System32\KERNELBASE.dll+159bbc(wow64)|C:\Windows\System32\KERNEL32.dll+5f80d(wow64)|UNKNOWN(00000000060F0099) 154100x8000000000000000320148Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.874{6A74A0F8-CE3C-6026-8F2F-00000000A301}4192C:\Windows\SysWOW64\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEcalc.exeC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=E5F11087E724759F5A52667D22485DF5,SHA256=3F2400274E4AE8B9B6B622A0571BBD96C293A708925549495A2FF1672964E949,IMPHASH=200BD8706C36BF07F7EF1B236749FD70{6A74A0F8-CE3B-6026-8E2F-00000000A301}3844C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" C:\users\Administrator\Downloads\regsvcs.dll 13241300x8000000000000000320147Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localT1122SetValue2021-02-12 18:51:40.860{6A74A0F8-CE3B-6026-8E2F-00000000A301}3844C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeHKCR\WOW6432Node\CLSID\{57DA77F3-27D4-3F92-9153-53374796FDFE}\InprocServer32\(Default)mscoree.dll 10341000x8000000000000000320146Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.860{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CE3B-6026-8E2F-00000000A301}3844C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000320145Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.844{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CE3B-6026-8E2F-00000000A301}3844C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000320144Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.844{6A74A0F8-B03D-6026-B92B-00000000A301}41083380C:\Windows\system32\dllhost.exe{6A74A0F8-CE3B-6026-8E2F-00000000A301}3844C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\COMSVCS.DLL+15400|C:\Windows\system32\COMSVCS.DLL+8c3e|C:\Windows\system32\COMSVCS.DLL+6b650|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x8000000000000000320143Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320142Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320141Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320140Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320139Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320138Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320137Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320136Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320135Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320134Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320133Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320132Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320131Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320130Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320129Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320128Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320127Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320126Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320125Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320124Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320123Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320122Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320121Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320120Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320119Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320118Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320117Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320116Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.563{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320115Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.532{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C416F5D81B9EDEF0A6DA8FC4EA41E521,SHA256=98CACA7762A259530BF582A6D38DCDD030110EC5558C322050819DB69C5A60D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320114Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.094{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D8D1E9A03C26252867C3FB99512631,SHA256=8907D3AD81176A84659711493CF44F12B22B3AC8A9DEE8E4633B2D0CC81D572D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320188Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.891{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=120DCBA85635D12741E8DCA3F9251D19,SHA256=F45FC71A933A7B05E675B40336095AAFF54B1DFA39FC5460D8E33E05A9915E1C,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000320187Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:40.964{6A74A0F8-CE3B-6026-8E2F-00000000A301}3844WIN-DC-444010.0.1.14;C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 354300x8000000000000000320186Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.252{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52833-false10.0.1.12-8000- 23542300x8000000000000000320185Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.704{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D56A210CDEECF5862E0A347A73AD2467,SHA256=D3EE23DBE8AEFA9560142C60E59308784766636334DDC6967DFAE7AD23943EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320184Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.204{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90967E555EFA844F7FB1A004A2DF6B86,SHA256=E286B316052ABA62B40BBE73AE41383C8BCA3A247ED7873F19B4329B3C8BA21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320183Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.204{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84267A4696BF1C5A26A5458ABDD2B358,SHA256=CA8EE47D909325E5F6313774DEE3EA706453974582F90A1750C2A4AE0B2323C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320182Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.182{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320181Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.182{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320180Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.182{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320179Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.182{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320178Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.182{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320177Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.182{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320176Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.182{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320175Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.182{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320174Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.182{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320173Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.182{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320172Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.182{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320171Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.182{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320170Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:41.182{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE3C-6026-902F-00000000A301}8144C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320189Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:42.204{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49148C555E0D73269C079A3B7FCF267F,SHA256=098A5C77DE053CF1BE3536B6E377E6A4BAB30EFFBC63E61AF8F4D8FD044DB274,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320196Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:43.516{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320195Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:43.516{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320194Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:43.516{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320193Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:43.516{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320192Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:43.516{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320191Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:43.516{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320190Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:43.219{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EFFEF6C4BD2FE4E6BE81EC61495EDF,SHA256=CB3D8ED113F104E9E70A29C4F95893B555C2F9BD258EA8AD114839E7E08B279D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320197Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:44.235{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7B873C00027452B067251795292A37,SHA256=FCB8DC96F5BC2B43167E4FB7D893B40B2A19E09B77E704957FAE7A2B2FD3D1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320198Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:45.268{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBA09385572923ABE758B2AAA1F3D28,SHA256=A71E455C3666EC185D959521D313A4315A23C858D6A2C1D13524B980165EE57F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320202Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:46.362{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52834-false10.0.1.12-8000- 11241100x8000000000000000320201Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:46.501{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\SiteSecurityServiceState.txt2021-02-12 16:51:46.263 23542300x8000000000000000320200Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:46.501{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\SiteSecurityServiceState.txtMD5=4C8BD88EF7219E5861D77BBFEFE784E7,SHA256=BD75DC5245BD52C21D24098719E5314469942FB1D0B4E3F55D6DCEBA8DBC17FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320199Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:46.297{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159B368F182851913431C96B94015FFE,SHA256=AE426ED83D3E0F2FD6C664F41DD49C0837A3B7A731855288B0EFF34520B24D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320203Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:47.313{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6321FB7A73C4948CFECEDDD33B7701F7,SHA256=2C4827B529FA9B957E9C3B7AD746F454F3A97619CC44FEAB0FA6512922A70D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320204Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:48.313{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9DA4EA44EDC07150F25EAC1706C16A3,SHA256=F8E8834DA4FD0F0E6EE21C93176B85C9EFEE7ECBDD51F4B9C684A388A905AC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320205Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:49.329{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD4E2B4C5DD4182AAD3DF1417EF27F2,SHA256=DE7DC1EA4FE9507D02D95A54775B4830AD27E9420DD1A5FBCEF0E083FECA8E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320206Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:50.329{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4B9E04DF05940BBD69308783F91E0F,SHA256=69681CEBF24174DB4A93ECADAD0F33AE943BB6E9C2A164CF6A307C4C63DDCEAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320218Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:51.680{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CE47-6026-912F-00000000A301}7768C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320217Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:51.680{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CE47-6026-912F-00000000A301}7768C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320216Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:51.657{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-CE47-6026-912F-00000000A301}7768C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320215Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:51.438{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CE47-6026-912F-00000000A301}7768C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320214Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:51.422{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320213Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:51.422{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320212Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:51.422{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320211Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:51.422{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320210Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:51.422{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CE47-6026-912F-00000000A301}7768C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320209Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:51.422{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CE47-6026-912F-00000000A301}7768C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000320208Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:51.433{6A74A0F8-CE47-6026-912F-00000000A301}7768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" /U C:\users\Administrator\Downloads\regsvcs.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000320207Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:51.344{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66D569256D48BBB71C0C9BBBB19AFBE,SHA256=B956AFD36CE28B6BCD86A0930F87DFFC08FCC602214621420E5C8475E711E18F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320224Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:52.773{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CE47-6026-912F-00000000A301}7768C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000320223Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:52.750{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CE47-6026-912F-00000000A301}7768C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000320222Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:52.750{6A74A0F8-B03D-6026-B92B-00000000A301}41083380C:\Windows\system32\dllhost.exe{6A74A0F8-CE47-6026-912F-00000000A301}7768C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\COMSVCS.DLL+15400|C:\Windows\system32\COMSVCS.DLL+8c3e|C:\Windows\system32\COMSVCS.DLL+6b650|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 23542300x8000000000000000320221Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:52.438{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=97831181BEB36C74D492774B1D855832,SHA256=4CBBBF05D1A342A49FAF7BEDF0060DEE3B68D38D25C8D26CC37813077BE1CC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320220Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:52.391{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADED62AC7D1EEE6D6FD237AEA9E74E6F,SHA256=2A3421F3F002E02B8633FE46427580DC15798CB69122757CAB690E1EFA0E236D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320219Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:51.393{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52835-false10.0.1.12-8000- 23542300x8000000000000000320227Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:53.828{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AB76E74416C0842346D92B618F46E32E,SHA256=15824471CA178DB20588742BD737754F7666BFF9B21EEA5BA5C4B2CDFD827A6E,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000320226Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:52.888{6A74A0F8-CE47-6026-912F-00000000A301}7768WIN-DC-444010.0.1.14;C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 23542300x8000000000000000320225Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:53.453{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B7F38EC507FA10A460CB55E1F332E7,SHA256=7889CBBA658BBF6C6585EC4C2DB75D458EE6BBB69009C8E0A791264EC67E76F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320228Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:54.473{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E781B45DFCE6E970112DAF429221188F,SHA256=1FE9C54E0BE299D03E7DFA54F5FB5325AD70B4644D8742496875BDD9924F1327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320229Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:55.500{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AD8342A7B78C7EB1DD8D744A866BE7,SHA256=9B8AFF0C44070FF636FCF18100843216EF03AB76C20FA53200BC1F779A0B5C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320230Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:56.516{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9444B540E601031862617407E272B7BE,SHA256=5E2543B644E1D28925E74E8D7EE6BB5C948589E54070F03652D8A9F34AC99905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320232Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:57.532{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=070DD926735194961881C89265CFA11C,SHA256=195C7A6DDA248D8F596FB4DE18BEA0B4B430B89AAB71619412FEA36E7DFCF99C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320231Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:57.299{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52836-false10.0.1.12-8000- 23542300x8000000000000000320234Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:58.877{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=52A1F7FE7B3872D4E0CD1500BCFCFFB0,SHA256=483BBA14457C9140EB64F1486DEC82C2F773E4DEF7893A79EC048C867A99E4A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320233Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:58.547{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8F859D12DA8A941FA192BFE87EA5CD,SHA256=5DDAACBF7EF864668FD3C714C43CECBB59A630864589B2CB1A1A90839D086E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320238Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:59.563{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A798DACE8E94C1E1799DE92C6BC2E00,SHA256=483F5A46DF60A4444DC193F07CCDBB52B300A59B48CBCC78CC41D49739E36BD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320237Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:59.219{6A74A0F8-743F-6025-3302-00000000A301}35484808C:\Windows\Explorer.EXE{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a4660|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800978D48D8)|UNKNOWN(FFFFF99A23EB4998)|UNKNOWN(FFFFF99A23EB4B17)|UNKNOWN(FFFFF99A23EAF1A1)|UNKNOWN(FFFFF99A23EB0B6A)|UNKNOWN(FFFFF99A23EAEE26)|UNKNOWN(FFFFF800975EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000320236Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:59.219{6A74A0F8-743F-6025-3302-00000000A301}35484808C:\Windows\Explorer.EXE{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a4141|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800978D48D8)|UNKNOWN(FFFFF99A23EB4998)|UNKNOWN(FFFFF99A23EB4B17)|UNKNOWN(FFFFF99A23EAF1A1)|UNKNOWN(FFFFF99A23EB0B6A)|UNKNOWN(FFFFF99A23EAEE26)|UNKNOWN(FFFFF800975EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320235Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:51:59.219{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF54ca19b.TMPMD5=83D1AFAA8D0BB411E55056E5143B15D7,SHA256=C08B97D5CAEEEB6D77A5623B5198A7B8CFA5EFDB389F2615BBAD805E93020D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320239Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:00.579{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4A71DF5BA9ED9483167100F058B297,SHA256=D7C8298E62AAB298EA2AD123F94BF9338244AC46D3ABDF04E065FA655B544F84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320240Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:01.594{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69267C5DF0774F01B59EEF59EB9158C,SHA256=1172F2BB6EAD17DF10581CBA531473F7D216D5358885E124BDF38A9A5BC22CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320243Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:02.625{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03214D2527455CA4F97D2DBA90A6CC70,SHA256=15678EAAE9F00BD267D38AB93ADBDD79BC2B0F263AF20B717EB1B3AA95D902CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320242Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:02.330{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52837-false10.0.1.12-8000- 23542300x8000000000000000320241Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:02.016{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320245Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:03.656{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A77DCA421B1D2882640F8C940995E0,SHA256=21A244C488DD18FBA43142B67227ED86381E65676FCEB55E7C1F0A02E2CB9327,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320244Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:03.206{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52838-false10.0.1.12-8089- 23542300x8000000000000000320246Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:04.677{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2AB31006F67FF0F46E8FDED36ADB5DF,SHA256=E5ABC2D89E330B868F22FCFD38045C0055CCD4B6AEB758604FA8BC9EDF8EDA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320248Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:05.703{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996354A6A9A1F98BDA7F1D37523485F7,SHA256=9A0EED4C0DBF50A1BD2A5959AC16B27C3DB322B3462D7B092205038031D86ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320247Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:05.391{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=41A8263EDCB127C231D072531E71DA7C,SHA256=2A7A6F114FD315700408ED737DE3919028A04E41B8F3034DC981B006F1D35376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320249Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:06.734{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01314978B4DF5ABD417C703382CE9BD,SHA256=4F3B8A81524B32E772423B1056505D760A51D159F7B30C16A80370485CB8D11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320250Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:07.750{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DE09DF2BFB6AEE536F45D8A43A7EC7,SHA256=2ACD697D84536847E0063CDE3E21EBCF9736B1AE373D6C4756DA4EEDBBAAB2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320253Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:08.797{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D71603D15FE00E00E66993FE5DC534,SHA256=0BA22A239AB847BE0D4F4B91E65DA2392105891DC30FBEEBB8879582CCFE59A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320252Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:08.221{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52839-false10.0.1.12-8000- 11241100x8000000000000000320251Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localDLL2021-02-12 18:52:08.179{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\regsvcs.dll2021-02-12 18:52:08.179 23542300x8000000000000000320255Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:09.828{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC251D6BE9DFAFE4D7668E1A935A8036,SHA256=DF9F1BB78BC91D347D5D06B4B3170388E94E2F7CD9A994BFB33EFCDE572FD45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320254Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:09.203{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ABD1160F94BBF2AFD9435AAD6DCBBC93,SHA256=0C23859555F157C4B1B878F099BB87D23DE30B5000082DD027CAA87161540E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320256Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:10.859{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB9B175A74E535E781215DD6AB9386B,SHA256=65E4D7C3B6D0F0CFB9F2F4EE5344EB98383F32518A2853718382D2C2D1C5A52F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320267Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:11.879{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B8FEF6A4739166F848AB155C7BF8EB,SHA256=45FE9EDD8404133212E82B49B9255B29E7B168404BFDE1D65D3C324847A39E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320266Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:11.772{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA1AB21834BCDC9E3E1B5FEEE8E19159,SHA256=E4F6E3B4A6BEF316669AA8F91C6FB09F837FEEDD0900761CDF0252485386CDBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320265Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:11.771{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8E935B654BCFAF3C99BD92093C50467,SHA256=C3EF8EF94F0127C96B1BCAFE84E11CAE4670F9438535C69AB73E124D9262C485,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320264Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:11.500{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE5B-6026-922F-00000000A301}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320263Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:11.500{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320262Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:11.500{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320261Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:11.500{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320260Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:11.500{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320259Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:11.500{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CE5B-6026-922F-00000000A301}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320258Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:11.500{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE5B-6026-922F-00000000A301}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320257Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:11.501{6A74A0F8-CE5B-6026-922F-00000000A301}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320270Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:12.891{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1CC266B4AFA3EE54961733B9EEF6A8,SHA256=F53A33E03522F838E7267C0B91E9740DC299934DB1C4BD0862DC0F7EB5FFB8F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320269Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:11.940{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52840-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x8000000000000000320268Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:11.940{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52840-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 23542300x8000000000000000320272Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:13.922{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB1055BAD20C3905289E035B471E50A,SHA256=C75AC17BF6C5DE1FD26C32FE3D82BA37A1A29A4FF266A6098B80001B9B7D0276,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320271Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:13.268{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52841-false10.0.1.12-8000- 23542300x8000000000000000320282Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:14.953{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18E65A5359D32DA150C7B1F1E093D7D,SHA256=0150794E3C51A7BC1EF13C4D2E8BC1772C2668DF54D3553CA57D2E9F811A7A9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320281Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:14.500{6A74A0F8-CE5E-6026-932F-00000000A301}10643848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320280Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:14.328{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE5E-6026-932F-00000000A301}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320279Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:14.328{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320278Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:14.328{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320277Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:14.328{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320276Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:14.328{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320275Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:14.328{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CE5E-6026-932F-00000000A301}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320274Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:14.328{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE5E-6026-932F-00000000A301}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320273Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:14.329{6A74A0F8-CE5E-6026-932F-00000000A301}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320301Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.979{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6ED1BBC3F299DD9775412494CA1B7A,SHA256=EC77F55C7CF48114EB2AF4DA254572803DECE26B36263CD82F7CB8F786E70CDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320300Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.844{6A74A0F8-CE5F-6026-952F-00000000A301}75805116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320299Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.679{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE5F-6026-952F-00000000A301}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320298Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.679{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320297Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.679{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320296Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.678{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320295Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.678{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320294Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.678{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CE5F-6026-952F-00000000A301}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320293Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.678{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE5F-6026-952F-00000000A301}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320292Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.673{6A74A0F8-CE5F-6026-952F-00000000A301}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320291Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.176{6A74A0F8-CE5F-6026-942F-00000000A301}65007664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320290Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.000{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE5F-6026-942F-00000000A301}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320289Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.000{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320288Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.000{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320287Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.000{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320286Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.000{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320285Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.000{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CE5F-6026-942F-00000000A301}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320284Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.000{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE5F-6026-942F-00000000A301}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320283Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:15.001{6A74A0F8-CE5F-6026-942F-00000000A301}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320318Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.890{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE60-6026-972F-00000000A301}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320317Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.890{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320316Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.890{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320315Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.890{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320314Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.890{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320313Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.890{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CE60-6026-972F-00000000A301}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320312Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.890{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE60-6026-972F-00000000A301}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320311Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.891{6A74A0F8-CE60-6026-972F-00000000A301}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320310Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.379{6A74A0F8-CE60-6026-962F-00000000A301}28765992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320309Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.219{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE60-6026-962F-00000000A301}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320308Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.219{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320307Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.219{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320306Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.219{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320305Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.219{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320304Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.219{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CE60-6026-962F-00000000A301}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320303Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.219{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE60-6026-962F-00000000A301}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320302Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:16.220{6A74A0F8-CE60-6026-962F-00000000A301}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320327Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:17.562{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE61-6026-982F-00000000A301}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320326Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:17.562{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320325Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:17.562{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320324Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:17.562{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320323Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:17.562{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320322Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:17.562{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CE61-6026-982F-00000000A301}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320321Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:17.562{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE61-6026-982F-00000000A301}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320320Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:17.563{6A74A0F8-CE61-6026-982F-00000000A301}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320319Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:17.000{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB1C03381CCD64B5BE7BDB61754E631,SHA256=AA5B508FB3B8D19B740EEAA95A11F743B150CDD43157E26112A268407C8BEDDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320329Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:18.330{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52842-false10.0.1.12-8000- 23542300x8000000000000000320328Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:18.031{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2EBB400540228E6704268689B3620B,SHA256=AA0F472CFA01380A36FF4B9012B421FE0B466EF82EC98D6F9DA3AFC51DFD3B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320330Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:19.047{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C02A3EE5FDA53ED1D550CFCB114CBF,SHA256=7F6D470D9CE7590E388796E2EE80A69151E8D1907B0F817B9044F8041C5882B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320331Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:20.093{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7507E19C36F84E259A68B8D2B7DFEF,SHA256=5E1E529351F7056AD82587FA274F6210D464C68BDBCF08405AA0D44D7F3B49F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320332Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:21.109{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AF69D95CDF26D1F0DC47EAA0819AC9,SHA256=07A7FE1D1F285AFEEE654B1D4547F5B8ED5D600B229D7D6DDE75D675A025388D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320333Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:22.125{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1810DBBDDA1D7183B77BCF07BC8F74E1,SHA256=ABC42DB6EB0DCC1C6F80E97C8B64174D5328AAE6FF3F57DE4673A5C3CE2F49E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320335Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:23.424{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52843-false10.0.1.12-8000- 23542300x8000000000000000320334Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:23.140{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4344CDD6764ADCC7B3AD84A78864A374,SHA256=07201E5964AE2385CA8C0AED7CD0ED326718B5F67E341F168BF1CE27638AC086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320336Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:24.174{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197C689ACB7F7800782247A1E585D22D,SHA256=1A5144E79A93AA2D7253EB81CF73E2FBF9A3C62E2638D8E3614D6A2EC39BB2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320337Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:25.203{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECDE7D91EE19AB77C91DF37D9A1E934B,SHA256=77BB40007DC26690C613A2A8962313EC4D99ACC2B922988FA0BD747BB9FD09C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320349Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:26.609{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CE6A-6026-992F-00000000A301}7640C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320348Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:26.609{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CE6A-6026-992F-00000000A301}7640C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320347Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:26.584{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CE6A-6026-992F-00000000A301}7640C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320346Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:26.343{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CE6A-6026-992F-00000000A301}7640C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320345Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:26.343{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320344Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:26.343{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320343Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:26.343{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320342Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:26.343{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320341Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:26.343{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CE6A-6026-992F-00000000A301}7640C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320340Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:26.343{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CE6A-6026-992F-00000000A301}7640C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000320339Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:26.348{6A74A0F8-CE6A-6026-992F-00000000A301}7640C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2/regsvcs.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000320338Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:26.234{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14FD0BABD01689CAADB5EE054D23EB4,SHA256=FFDCA01116AEBA1AE7B7633007DF2B8DC2A54458443366FB68C851B836639C65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320377Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.799{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320376Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.799{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320375Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.781{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320374Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.781{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320373Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.781{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320372Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.781{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320371Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.781{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320370Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.781{6A74A0F8-CE6B-6026-9A2F-00000000A301}53083508C:\Windows\SysWOW64\calc.exe{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\System32\windows.storage.dll+1240e6(wow64)|C:\Windows\System32\windows.storage.dll+123da1(wow64)|C:\Windows\System32\windows.storage.dll+123e73(wow64)|C:\Windows\System32\windows.storage.dll+124b45(wow64)|C:\Windows\System32\windows.storage.dll+1239f1(wow64)|C:\Windows\System32\windows.storage.dll+125d40(wow64)|C:\Windows\System32\windows.storage.dll+125fbc(wow64)|C:\Windows\System32\windows.storage.dll+1258a5(wow64)|C:\Windows\System32\windows.storage.dll+102d28(wow64)|C:\Windows\System32\windows.storage.dll+102b67(wow64)|C:\Windows\System32\windows.storage.dll+102bc8(wow64)|C:\Windows\System32\SHELL32.dll+1aa3b1(wow64) 154100x8000000000000000320369Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.782{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=A20DCDBED017776C8B3D01A511A8DC46,SHA256=84173F0B3176F68428A88A6870AF6236F28FAEE117074FB36A0BCCCFB55EB301,IMPHASH=C261A11FB3872511CF73DBF1A1E04631{6A74A0F8-CE6B-6026-9A2F-00000000A301}5308C:\Windows\SysWOW64\calc.execalc.exe 10341000x8000000000000000320368Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.765{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-CE6B-6026-9A2F-00000000A301}5308C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320367Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.765{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-CE6B-6026-9A2F-00000000A301}5308C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320366Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.734{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CE6B-6026-9A2F-00000000A301}5308C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320365Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.734{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CE6B-6026-9A2F-00000000A301}5308C:\Windows\SysWOW64\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320364Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.734{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CE6B-6026-9A2F-00000000A301}5308C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320363Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.718{6A74A0F8-CE25-6026-892F-00000000A301}27365520C:\Windows\system32\svchost.exe{6A74A0F8-CE6B-6026-9A2F-00000000A301}5308C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320362Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.699{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320361Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.699{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320360Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.699{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320359Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.699{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CE6B-6026-9A2F-00000000A301}5308C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320358Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.699{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320357Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.699{6A74A0F8-CE6A-6026-992F-00000000A301}76405044C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe{6A74A0F8-CE6B-6026-9A2F-00000000A301}5308C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+159f0b(wow64)|C:\Windows\System32\KERNELBASE.dll+159bbc(wow64)|C:\Windows\System32\KERNEL32.dll+5f80d(wow64)|UNKNOWN(0000000006040099) 154100x8000000000000000320356Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.701{6A74A0F8-CE6B-6026-9A2F-00000000A301}5308C:\Windows\SysWOW64\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEcalc.exeC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=E5F11087E724759F5A52667D22485DF5,SHA256=3F2400274E4AE8B9B6B622A0571BBD96C293A708925549495A2FF1672964E949,IMPHASH=200BD8706C36BF07F7EF1B236749FD70{6A74A0F8-CE6A-6026-992F-00000000A301}7640C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2/regsvcs.dll 13241300x8000000000000000320355Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localT1122SetValue2021-02-12 18:52:27.696{6A74A0F8-CE6A-6026-992F-00000000A301}7640C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeHKCR\WOW6432Node\CLSID\{57DA77F3-27D4-3F92-9153-53374796FDFE}\InprocServer32\(Default)mscoree.dll 10341000x8000000000000000320354Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.695{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CE6A-6026-992F-00000000A301}7640C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000320353Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.671{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CE6A-6026-992F-00000000A301}7640C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000320352Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.671{6A74A0F8-B03D-6026-B92B-00000000A301}41087456C:\Windows\system32\dllhost.exe{6A74A0F8-CE6A-6026-992F-00000000A301}7640C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\COMSVCS.DLL+15400|C:\Windows\system32\COMSVCS.DLL+8c3e|C:\Windows\system32\COMSVCS.DLL+6b650|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 23542300x8000000000000000320351Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.343{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F1E8F1CAB97D7F65E843512CD8D3A706,SHA256=4ED4805EF7D2F553325B5C2ADF43D029ECD02B1B495D69D45BC21759AFF5B388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320350Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.250{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7BDB5644EFC7CA40F4622C247FD68C,SHA256=1023245282D6CBC49C216ED96827CF4AE977FEF057CDA85D1A77A664D306F0E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320393Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.765{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E06D39A200B872540FC47D2CAC11FA29,SHA256=3D4765989F0413203D0CC45509C2F95ADDEDF8A5D9A725C78F2BED8C82810ECD,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000320392Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:27.808{6A74A0F8-CE6A-6026-992F-00000000A301}7640WIN-DC-444010.0.1.14;C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 23542300x8000000000000000320391Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.328{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE56D4F56B1DE6AFCEAB77C099C52B37,SHA256=B5C6A2E9CD34F1069D4A164CD5B82FD2C7558EE37C486A7CE043390CF681C1BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320390Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.009{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320389Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.009{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320388Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.009{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320387Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.009{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320386Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.009{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320385Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.009{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320384Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.009{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320383Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.009{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320382Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.009{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320381Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.009{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320380Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.009{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320379Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.009{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320378Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:28.009{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE6B-6026-9B2F-00000000A301}8132C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320399Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:29.996{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320398Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:29.996{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320397Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:29.996{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320396Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:29.996{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000320395Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:29.267{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52844-false10.0.1.12-8000- 23542300x8000000000000000320394Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:29.343{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570715BD099D71CCC315AD694ACE9377,SHA256=ED78C45582FBD365895D187537C05783E0DF18829C333B94B0C0C64856607400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320402Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:30.343{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1448D08BA66E0D21E437BC8B09127F0,SHA256=9F26EE0BC990C072EC557548036858F13F510BE736F15A3377E8C6BD1A1CB5A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320401Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:29.999{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320400Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:29.999{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320403Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:31.374{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE5A7082D9CDE74B5220ABD5C017762,SHA256=D83FED922BB3344DEEF6461580F2DF7F3945FBA8CF44C119BA6E5C60B1D017D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320404Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:32.421{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEC2C1C383D07F1CAF914FBF0A124E7,SHA256=2C8E2FED204BA63DB12DBC06EF202F3ABCE4FD5A9A6EB42CB647B80F9945E5FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320405Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:33.453{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015E27A8CE940A3F7952F93352238FB0,SHA256=4ECC3C3F2079F28386F35BF98E5EC34DEC250C39F1B41E17400F15E12774539B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320407Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:34.377{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52845-false10.0.1.12-8000- 23542300x8000000000000000320406Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:34.489{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4494E1B5699B5B68D75AC1803BC5E90,SHA256=95D11B239C64B34E4E57FFB787A6CF6345AF712DA28BD791D8C2634451420528,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320419Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:35.899{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-CE73-6026-9C2F-00000000A301}7704C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320418Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:35.899{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-CE73-6026-9C2F-00000000A301}7704C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320417Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:35.891{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CE73-6026-9C2F-00000000A301}7704C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320416Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:35.656{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CE73-6026-9C2F-00000000A301}7704C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320415Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:35.656{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320414Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:35.656{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320413Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:35.656{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320412Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:35.656{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320411Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:35.656{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CE73-6026-9C2F-00000000A301}7704C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320410Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:35.656{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CE73-6026-9C2F-00000000A301}7704C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000320409Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:35.658{6A74A0F8-CE73-6026-9C2F-00000000A301}7704C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" /U C:\Users\ADMINI~1\AppData\Local\Temp\2/regsvcs.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000320408Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:35.515{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02AA72E339BB464D19B517996B113F26,SHA256=C9A9514C631BC46218DF0233BE98BABF9D9D932FCED630AE5BA60283E24C292B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320423Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:36.997{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CE73-6026-9C2F-00000000A301}7704C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000320422Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:36.992{6A74A0F8-B03D-6026-B92B-00000000A301}41085596C:\Windows\system32\dllhost.exe{6A74A0F8-CE73-6026-9C2F-00000000A301}7704C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\COMSVCS.DLL+15400|C:\Windows\system32\COMSVCS.DLL+8c3e|C:\Windows\system32\COMSVCS.DLL+6b650|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 23542300x8000000000000000320421Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:36.671{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B58732B2A4588EB303F933D39A00A525,SHA256=6D625804F05DB5C505B1AAA0A217E489BF33D8B6BD39B9AB77B437AF8D37403D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320420Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:36.546{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CD27CF498FF95B8BAE0368D0411FC0,SHA256=BE661B88EE852C4BA7A69BAF57DC0B659BB73616B3FD4161ADFD7279D7E5121D,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000320426Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:37.114{6A74A0F8-CE73-6026-9C2F-00000000A301}7704WIN-DC-444010.0.1.14;C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 23542300x8000000000000000320425Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:37.597{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC92EE75FD24F7F4051D119B61616706,SHA256=9DF8DB7BB3DD1AB1ECA5E3DA3142F555547AFDE7273EB4A74D7B9E2CE31FAD7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320424Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:36.999{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-CE73-6026-9C2F-00000000A301}7704C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000320428Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:38.609{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACF2B6B11284104CBCBAC7A09970C76,SHA256=8738FAD91526D1F90C50399956B1BB6DF624CDBA544A7BF50D41637E50D6783B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320427Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:38.077{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E997CE72039B613072AB67E2B5CBE25D,SHA256=94598C780B5980BA631E1DAE233A08B48A4C7DAF07F913C37E123342D5961AFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320429Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:39.640{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7C1C219B3818DF20E9242B007A7E26,SHA256=7415C13DFC65A4B5C6654647E99BC570BC89FF4656433154B211D7EF2CC301CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320431Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:40.655{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D784FD549283FCDDB57A965A5261556C,SHA256=8A7584F7678AF51D8552E4AC5B2D37744EC44071824B77A5E716BAAB70311349,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320430Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:39.424{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52846-false10.0.1.12-8000- 23542300x8000000000000000320433Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:41.718{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=458ED60FC9C17995C8B71D59AC76B438,SHA256=5A72062D67DF7C95BE93B11D58E1102E3B41FDF749D76342C8368D1865A43063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320432Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:41.655{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9261544410D9F0123440EBD9E8412D2,SHA256=A83DA1B69B948C21DDBA60931BC19A834C4EBF98A4AD7044BF11786F6E85DD17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320434Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:42.671{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3CE1784E06077BEAEAFFFFE0933487,SHA256=B6AC6D87FE8C770A1F40DA86A7F0D329ACAF037A9F19B26C78518470AB18CA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320435Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:43.698{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B167133BD4097A67DD5A1BA0EC21EF1A,SHA256=0FE05383A4C89417455BBAE1E676833BE4466A4F4C9A2D6510335290DA407721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320437Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:44.750{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E26388B297C5A797616B7EB036F576A,SHA256=DF141AA1086A8476986A9A1F44C4EF8FDB39FB2562C4B9819BCACB8CAADAA946,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000320436Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:52:44.312{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d70170-0x3f720a40) 23542300x8000000000000000320484Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.781{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBC242640AA643BA55110CDD7DFA992,SHA256=2775E49D47F36A5550EE644C0AF15EA2C6EE578E201384DA36E2EFA62A5746C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320483Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.689{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CAE0D637BE35B861D030B29E8F5AA0,SHA256=FBFC1A7776F9D508CE8C2FFD36FE167E6886FA72AF900D9F4C79E0AD133EDA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320482Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.541{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320481Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.541{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320480Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.541{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320479Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.541{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320478Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.541{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320477Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.541{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320476Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.541{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320475Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.541{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320474Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.541{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320473Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.541{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320472Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.541{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320471Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.541{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320470Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.541{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320469Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.344{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320468Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.344{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320467Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.313{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320466Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.313{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320465Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.313{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320464Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.313{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320463Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.313{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320462Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.313{6A74A0F8-CE7D-6026-9E2F-00000000A301}72004604C:\Windows\SysWOW64\calc.exe{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\System32\windows.storage.dll+1240e6(wow64)|C:\Windows\System32\windows.storage.dll+123da1(wow64)|C:\Windows\System32\windows.storage.dll+123e73(wow64)|C:\Windows\System32\windows.storage.dll+124b45(wow64)|C:\Windows\System32\windows.storage.dll+1239f1(wow64)|C:\Windows\System32\windows.storage.dll+125d40(wow64)|C:\Windows\System32\windows.storage.dll+125fbc(wow64)|C:\Windows\System32\windows.storage.dll+1258a5(wow64)|C:\Windows\System32\windows.storage.dll+102d28(wow64)|C:\Windows\System32\windows.storage.dll+102b67(wow64)|C:\Windows\System32\windows.storage.dll+102bc8(wow64)|C:\Windows\System32\SHELL32.dll+1aa3b1(wow64) 154100x8000000000000000320461Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.318{6A74A0F8-CE7D-6026-9F2F-00000000A301}5628C:\Windows\SysWOW64\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=A20DCDBED017776C8B3D01A511A8DC46,SHA256=84173F0B3176F68428A88A6870AF6236F28FAEE117074FB36A0BCCCFB55EB301,IMPHASH=C261A11FB3872511CF73DBF1A1E04631{6A74A0F8-CE7D-6026-9E2F-00000000A301}7200C:\Windows\SysWOW64\calc.execalc.exe 10341000x8000000000000000320460Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.299{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CE7D-6026-9E2F-00000000A301}7200C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320459Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.299{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-CE7D-6026-9E2F-00000000A301}7200C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320458Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.266{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CE7D-6026-9E2F-00000000A301}7200C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320457Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.266{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CE7D-6026-9E2F-00000000A301}7200C:\Windows\SysWOW64\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320456Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.266{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CE7D-6026-9E2F-00000000A301}7200C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320455Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.250{6A74A0F8-CE25-6026-892F-00000000A301}27365520C:\Windows\system32\svchost.exe{6A74A0F8-CE7D-6026-9E2F-00000000A301}7200C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320454Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.234{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320453Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.234{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320452Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.234{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320451Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.234{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-CE7D-6026-9E2F-00000000A301}7200C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320450Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.234{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320449Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.234{6A74A0F8-CE7D-6026-9D2F-00000000A301}2246308C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe{6A74A0F8-CE7D-6026-9E2F-00000000A301}7200C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+159f0b(wow64)|C:\Windows\System32\KERNELBASE.dll+159bbc(wow64)|C:\Windows\System32\KERNEL32.dll+5f80d(wow64)|UNKNOWN(0000000004D50099) 154100x8000000000000000320448Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.237{6A74A0F8-CE7D-6026-9E2F-00000000A301}7200C:\Windows\SysWOW64\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEcalc.exeC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=E5F11087E724759F5A52667D22485DF5,SHA256=3F2400274E4AE8B9B6B622A0571BBD96C293A708925549495A2FF1672964E949,IMPHASH=200BD8706C36BF07F7EF1B236749FD70{6A74A0F8-CE7D-6026-9D2F-00000000A301}224C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /U C:\Users\ADMINI~1\AppData\Local\Temp\2/regsvcs.dll 10341000x8000000000000000320447Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.219{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-CE7D-6026-9D2F-00000000A301}224C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320446Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.219{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-CE7D-6026-9D2F-00000000A301}224C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320445Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.156{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CE7D-6026-9D2F-00000000A301}224C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320444Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.156{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320443Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.156{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320442Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.156{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320441Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.156{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320440Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.156{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CE7D-6026-9D2F-00000000A301}224C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320439Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.156{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CE7D-6026-9D2F-00000000A301}224C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000320438Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.159{6A74A0F8-CE7D-6026-9D2F-00000000A301}224C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Assembly Registration UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /U C:\Users\ADMINI~1\AppData\Local\Temp\2/regsvcs.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=F9962526636C4082079C16F5CBD18A21,SHA256=193D0E779528278A422C64E94D9D8AC623FCB1323038D33D2B820EAD608EF515,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000320488Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:46.828{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4511EB127F2B21107892063983CB2FCB,SHA256=95FB90BF32D464425F1821798541795871D59802EC95122853BEB67D64BEDB83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320487Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.438{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-444.attackrange.local123ntpfalse13.86.101.172-123ntp 354300x8000000000000000320486Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:45.283{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52847-false10.0.1.12-8000- 23542300x8000000000000000320485Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:46.156{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=428A453A1C5D8BF77ABBA39061A0B2D3,SHA256=288D1D0DDC022B3E06D27F1091E549F8FEE50B9134A3BE5AE7BE388C43E0FD69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320495Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:47.844{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4056CC26C7816640C40735AEE4D4DBC,SHA256=673AFC48129EB5AD65CBD1D816D4488CE720529E01DCD5B3044C9DD93B46CA7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320494Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:47.199{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320493Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:47.199{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320492Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:47.199{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320491Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:47.199{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320490Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:47.199{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320489Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:47.199{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320496Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:48.844{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C66BA33DB9F395A6B70ED959923864B,SHA256=758EBC852151FF702075EFB1AD7512B84202D978D9B4AFC02FA81D8D91918B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320497Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:49.875{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E4301ED2BDFAE7D4E20A3350F6F9BE,SHA256=92B1CA082E5336EBD749F2D6B1DB5D68DEF303556C7074BEDB617D31F1B7E5F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320498Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:50.893{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C626DEBE03C263A1A9F973216B78C04,SHA256=E9EB041BDDC70CEED4D317E11F42D72FA722B782CE3A234F122914950D4C8395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320500Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:51.922{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD573487E4D913CBF0F5FFB65AC95981,SHA256=23E6016CD9EC42072B958D94F67CF0EA529BD96DABD930A581D4D04F0103DF7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320499Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:50.314{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52848-false10.0.1.12-8000- 23542300x8000000000000000320501Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:52.937{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF627D4B0D26271CEC34A452FD9A0143,SHA256=AD3FFC3DE064729E35698F6C9FA54498AFFF692B701E68CF8EDE13C22924D84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320502Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:53.987{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D75537E72B0B0DD7CCE232E171991F,SHA256=81F67329E7F81FB7677A0CAAB10FAC1B932F94A6111B90DC0E7099E42936015F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320503Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:55.016{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C639B3D5D79AC5F4A0B587277E6F9915,SHA256=CC4F9B350DE4721BA1E02DD23E84FD45BFCEB0E954DD3E1D2D06E5FD9F1BC10F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320505Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:55.408{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52849-false10.0.1.12-8000- 23542300x8000000000000000320504Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:56.047{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA3443A344C24A42CE74B7BB79018C0,SHA256=248D8CD37D68079E243AA1873B2CD713B6556C1E2AE04FB5834115A140B93D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320506Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:57.078{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4A0CB49E7B399B3DD8DF2024EA488C,SHA256=4C0704E4D50621CE5F7A1EBAC365B7A82988F69E7581D98939A581352A5125DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320507Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:58.097{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BF6ED9F769BC81E93E0C2612413CD2,SHA256=E6A6D9E3021906B8F0E8ED48DE4A9B0DCB0BACED6EC1FDDFE59CA8D403F54115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320509Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:59.198{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\datareporting\aborted-session-pingMD5=D6B65EC48910E680BC7DE568AFA179D5,SHA256=FD480ECE5406DD4DABA0A41F9E0C4E0293155B518921B023AA90B1368A333008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320508Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:52:59.109{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1897A38991F13978FABEB3CC455D78FB,SHA256=3CB54E0A416472D139E630AE5B0F73186DDF23CDB591E35FF378CE550D1E1114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320510Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:00.109{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF5834E5F35AD3B55A740D5848A2D2C,SHA256=38C0DE9FA4735F2E1EF70C1841F7FC34BD5680E07DA04679B11F946D03CD2245,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320512Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:01.268{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52850-false10.0.1.12-8000- 23542300x8000000000000000320511Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:01.125{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4AB8308159C691F2BEB8A62A8E3165D,SHA256=3B16DD77FDAE3D743D9D392FB7DF4320F24226D28638750DEA49F84790C9D73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320514Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:02.140{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2361354175A6E3A038FB5E1277A80CD3,SHA256=C12F6048AC7EE0705639248AA745778300C401F60AF93F8E57CB77122D3E0245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320513Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:02.046{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320516Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:03.220{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52851-false10.0.1.12-8089- 23542300x8000000000000000320515Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:03.140{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF47F45EFE586D22737EBECECF4061A4,SHA256=D077B33189181485F8D0FE98CD83923818DE9CE4EDD918D1DA7C640E058BD030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320517Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:04.192{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0C81DA6409672D2FAC9E66CE9C2EDB,SHA256=1F3C0F6DE261E9D9103C20FBC022B0FFD0EEAA9C96229FCB3CAF7DEBF5421A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320518Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:05.234{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6363778635233300EAF5186B3DE2238,SHA256=9B0AB25FEB1E3A1156D144450DABC04845CDC2674A236D106474A3FF4468410D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320520Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:06.314{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52852-false10.0.1.12-8000- 23542300x8000000000000000320519Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:06.250{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCBF11ACD1A4F0DBB1A774F98799AC8,SHA256=03B476CD38C9A52D52B3F77D7A0D4914061DF4909DE6E6060CC51293A7775F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320521Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:07.281{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3637E6DD4A1F7E14BDF33B3AD13748F7,SHA256=97891A96AA629282C13A6C3F45657778D9066607270BAFBAB0B34113ED6830D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320522Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:08.299{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE9CC1FF13695564DE7A4AD816CE698D,SHA256=7EA4D9AC674712FEF632853A658CEA42D667E0EECB38FCEB6495C54E2E569455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320523Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:09.328{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34651FE41981DB7E010FD90125A69A81,SHA256=9007C5ECF98202BD3EDC226AC124FFCD2708D0D7679CACD8832E0900E8FD81B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320524Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:10.343{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF8B27F84E7A92FD3CCD6F90EBB3E4D,SHA256=888BBC1A66091D54D4E214385984DFA8441EEFF62DCE863B077F10C4788452B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320536Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:11.345{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52853-false10.0.1.12-8000- 23542300x8000000000000000320535Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:11.781{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19C51C56E1FF4DC5CB0C2C53DBA622D3,SHA256=109BCAA9E4D3700366BC8B6302EB2C6B10291532CC79BEED1F837D4A51C4DD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320534Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:11.781{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA1AB21834BCDC9E3E1B5FEEE8E19159,SHA256=E4F6E3B4A6BEF316669AA8F91C6FB09F837FEEDD0900761CDF0252485386CDBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320533Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:11.515{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE97-6026-A02F-00000000A301}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320532Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:11.515{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320531Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:11.515{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320530Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:11.515{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320529Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:11.515{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320528Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:11.515{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CE97-6026-A02F-00000000A301}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320527Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:11.515{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE97-6026-A02F-00000000A301}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320526Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:11.516{6A74A0F8-CE97-6026-A02F-00000000A301}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320525Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:11.393{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E494CA2F25FA8569EF4E899C2F04968B,SHA256=944FCA1DCC5941D72F7FB9A9DB2252D03CDDF2A035F75BE214F11E88CFD4AF66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320539Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:11.955{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52854-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x8000000000000000320538Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:11.955{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52854-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 23542300x8000000000000000320537Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:12.421{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B6AFA3DBE13373590DE08AA73B0B3B,SHA256=656097EDE94DF0AA8FB018BF88116EF8EFE09E1A0D004F9692402EE2D446DE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320540Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:13.452{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710EB654357C4681C1AC18F1AA6628D8,SHA256=799AC730C9C2999F95E060F5813C6AD636008F80A397BFD63B1DCF0693C770DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320549Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:14.495{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F525FE941B05EAF8AF70FE4619EE76B,SHA256=785ACAC92AB870677D841CBE2482B5AE5681B8C6CC438DD1D9E6FF7FFF1A7D1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320548Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:14.327{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE9A-6026-A12F-00000000A301}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320547Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:14.327{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320546Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:14.327{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320545Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:14.327{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320544Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:14.327{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320543Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:14.327{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CE9A-6026-A12F-00000000A301}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320542Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:14.327{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE9A-6026-A12F-00000000A301}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320541Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:14.328{6A74A0F8-CE9A-6026-A12F-00000000A301}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320568Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.859{6A74A0F8-CE9B-6026-A32F-00000000A301}48847244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320567Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.696{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE9B-6026-A32F-00000000A301}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320566Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.694{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320565Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.694{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320564Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.693{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320563Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.693{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320562Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.693{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CE9B-6026-A32F-00000000A301}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320561Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.693{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE9B-6026-A32F-00000000A301}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320560Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.688{6A74A0F8-CE9B-6026-A32F-00000000A301}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320559Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.515{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6511E0B2FD5632B4FF101155C79D9D,SHA256=731448DCC44C3CAA1D2E7CFFA711EEF574BABF6FD7497D85B8888AE2DFEDD87F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320558Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.188{6A74A0F8-CE9B-6026-A22F-00000000A301}34528036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320557Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.015{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE9B-6026-A22F-00000000A301}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320556Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.015{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320555Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.015{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320554Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.015{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320553Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.015{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320552Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.015{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CE9B-6026-A22F-00000000A301}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320551Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.015{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE9B-6026-A22F-00000000A301}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320550Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:15.016{6A74A0F8-CE9B-6026-A22F-00000000A301}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000320579Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:16.408{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52855-false10.0.1.12-8000- 23542300x8000000000000000320578Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:16.546{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC3AC56B6EE7B65CA62BF2F48E6634D,SHA256=113499EC2C6F1070BDB23FE27444616B1693EC86230C34484CC95D74FDB17117,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320577Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:16.515{6A74A0F8-CE9C-6026-A42F-00000000A301}44124120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320576Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:16.359{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE9C-6026-A42F-00000000A301}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320575Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:16.359{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320574Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:16.359{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320573Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:16.359{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320572Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:16.359{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320571Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:16.359{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CE9C-6026-A42F-00000000A301}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320570Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:16.359{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE9C-6026-A42F-00000000A301}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320569Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:16.359{6A74A0F8-CE9C-6026-A42F-00000000A301}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320597Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.874{6A74A0F8-CE9D-6026-A62F-00000000A301}59404880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320596Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.718{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE9D-6026-A62F-00000000A301}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320595Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.718{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320594Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.718{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320593Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.718{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320592Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.718{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320591Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.718{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CE9D-6026-A62F-00000000A301}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320590Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.718{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE9D-6026-A62F-00000000A301}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320589Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.719{6A74A0F8-CE9D-6026-A62F-00000000A301}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320588Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.562{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C2E8B9808F6504385282B24E86A036,SHA256=80AEDE24112AE2A9CE36244F27900A50A041EF949EB5A0E7880FD8CB3440A192,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320587Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.031{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CE9D-6026-A52F-00000000A301}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320586Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.031{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320585Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.031{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320584Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.031{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320583Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.031{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320582Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.031{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CE9D-6026-A52F-00000000A301}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320581Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.031{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CE9D-6026-A52F-00000000A301}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320580Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:17.031{6A74A0F8-CE9D-6026-A52F-00000000A301}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320598Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:18.577{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E056FA5584774E9768DA7952B8F92EE,SHA256=CB3E5D29F6BE3A76603D5292C88C74A25D6992DE9F22F9E8709E7A44D82F7851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320599Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:19.595{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3803E0D93B951DAD5C3C3C016FC70310,SHA256=CE146B25BA37C11680F25492EA165AAA7E9CE8F45F5401B180400E676E5A95A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320600Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:20.609{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE6770488B0572F6443A5DC51B634D6,SHA256=84459A86AE3735024BC73E7BD2553AA7F2FD41A37B293ED3355D4B9BFCC7DF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320601Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:21.640{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34741BF6E9148219812F9165616CC0A,SHA256=7B98B93CCE5EB778F04B25A00CCE7EDBDCBE8F8FB7B7D5BAA2B00510490B8FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320602Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:22.640{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2425D590E3316E61B9F914FCC4D80591,SHA256=176210A5316CA780692FF8A83EA24937073EF4A11CC8247DC826B6E9E0864053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320604Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:23.655{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDC49211960C62BE77AFCBF6E23C44C,SHA256=444C304E598B66BF4FCE007EA32535C7EA600EBCBE1C1DF0C1B91AD77E3F5F34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320603Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:22.267{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52856-false10.0.1.12-8000- 23542300x8000000000000000320605Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:24.671{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E7EC32AAB63A2D83C72968A619D514,SHA256=627D7B78560F7DC41AE6B53B68460A5FAAA833F669CF53174585985EA1448660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320606Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:25.689{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE21F54E615692B55C3F0EA79360308,SHA256=B97A0297BBF1713D9BD7DCD351D02B211602DAD3D6D0C8424450E529654F2CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320607Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:26.749{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC532EEED3D368C33262E7C7CDB825AC,SHA256=DFA8DB3E808616CFF819F2F2F102D9994B6F7714D53C73D952B1CCA854826738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320609Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:27.749{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604DC51941B16C8FB06BA66E30E9BB27,SHA256=2541D3704351BE3C953EAF67A93792584B2A75830CDEC8FB5F6DA51B13FD7F67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320608Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:27.283{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52857-false10.0.1.12-8000- 23542300x8000000000000000320610Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:28.780{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1483A2977CB1878655FA93AB9F41A22,SHA256=9A6950237F34FE5FB99600106FF8E3D704040F0EF0BB4F1003CBB7DBAFFFB20C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320611Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:29.798{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA613A098BE2041FB9A697B08819271,SHA256=49550F35BE0DC784503A6CD9FA3BE313DA51D22406AC6D449D8A54D22BB71361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320612Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:30.811{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62D3C5479D9A6B26EF21AEC8CB08EB2,SHA256=50C8B227A2B506FEF3B344916022B24C48D38AAC53A02659BE80F4A00218523F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320613Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:31.843{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2677C4BD42BC10DB4CDEFB5930E021BC,SHA256=2D46D20571F5DE33216471076A1FBE7751E412E3A7F2C385B140DBB3E434D134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320614Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:32.874{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46A59BCA6D84BBA914EFC7E305111EF,SHA256=8B8D64F74C87697FE51354EFE7F77981C455B7D0379EB845E143A6BB233F9A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320616Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:33.921{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44036E0977F97EA823571262430E75B8,SHA256=5C8E90E3B9A1A823BACBDD58CF14C7276000D993E3DBC19D71A05C0EF00AF329,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320615Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:32.376{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52858-false10.0.1.12-8000- 23542300x8000000000000000320617Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:34.952{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D5020C329B3A65FDCF45818AF45E35,SHA256=E6DEF4DD0D8DA4179478B63824E083845E3886D5676F07B56DAAC5B18216FE70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320618Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:36.014{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0204B5495128EC380ABF426D275C7F66,SHA256=360B6E460E1440D37E1EC016C29AD589B4FA95F93CF09A97CACCBA373749E6C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320619Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:37.014{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D427021CE965FEC84883CD40A9F241D9,SHA256=1790EEB55EB35D427E572843476A78D97504F152DB2CA97FAAB31E0D6DDE903A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320621Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:37.423{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52859-false10.0.1.12-8000- 23542300x8000000000000000320620Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:38.046{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F939763D0140389A9A05B19B382BEC,SHA256=CA954152AF1B698C447DB1F4B20F2F15556E477ECAE0217BB05F09BBD2B9CD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320622Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:39.077{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E305537B7DDCA392C49D810B2A0467,SHA256=D660BD5DCDC924EE9B696338180D19E10CB76661FBAF31501D67F1CA1EFDB550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320623Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:40.108{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44F3DA7307DD4BDC9F1A3235B7256CE,SHA256=C4C04C7EF901C808F395546DBF1DFAC6322D6EDBF32430749E743A73B1308A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320656Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.733{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=07D2D3F8A01B32A34D2F8B193A2884A4,SHA256=92F7F19656A75B4D582CB2AD30271E3526E8C525888DA8BF403223EBE85531D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320655Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320654Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320653Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320652Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320651Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320650Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320649Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320648Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320647Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320646Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320645Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320644Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320643Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320642Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320641Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320640Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320639Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320638Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320637Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320636Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320635Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320634Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320633Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320632Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320631Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320630Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320629Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320628Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320627Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320626Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320625Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.577{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320624Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:41.171{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A1607F84E8748B6F696C3DA6B41FBC,SHA256=EC8F20E066235ACB8B473472BD49CD263D188A69A9D4FE43390E4071846D49C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320657Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:42.593{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3CA04F78B5D03A6413A6E7D3FC4B25,SHA256=9D89A188D4EFA1A701410B3490E38DC7A8861C1F71EAC8F77B9D30423807A00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320659Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:43.608{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A7D8685CBB9424653936BE1310494F,SHA256=05A0845CF6546A36C6C0FEDC3972ED08D2A397BD5AC90B45B283A14A3642F130,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320658Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:43.298{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52860-false10.0.1.12-8000- 23542300x8000000000000000320660Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:44.639{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639511ACE1C15DD313E015C98A175F4C,SHA256=8286951414F75022BF3B6B6E37609D79344591CB35B083ED8B0875C4DD8B76DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320661Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:45.689{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34C66A6CB2DCED4C20EB500140AC448,SHA256=3A2DBAB57AE1E2119FF13DC11699987AFF41D53DD4C57C69F212B516CD866650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320662Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:46.717{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2986CE92CE574DBED1E1BE4F8A978D9,SHA256=95708475E281CBD4132D0D89A4CAC335BB352A3819B91A710C7367608219D041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320663Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:47.717{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3B0B616C1706EF7A88A75A13733CCB,SHA256=759956462F5E12E501DCF2D4E3BD0DEA8BB8C1C20E48337A530FBEC084F8B5F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320665Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:48.748{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA464618601AC7BB63281884A17A8BD,SHA256=B220A267221263BD2A5B0FE03B470140AA7962CE0FA600E1B917E872B530F814,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320664Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:48.376{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52861-false10.0.1.12-8000- 23542300x8000000000000000320666Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:49.764{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C112CA69B13A9D8C91E7C78F2AE5849,SHA256=AE620DAD89677D3BDFCD1783422CB9FCDF731B5785666C915CDD3724C84E94A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320667Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:50.764{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D953F583A07E5E824C9B66A2F2BE7FB,SHA256=6F3D1E7CF305144419265AABBC47A4D6CE5EB680CA156B2228538EA210914B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320668Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:51.798{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7138555BC39B60DF935E8441ED810E9,SHA256=E2A383E1BA917A8854AA9D1F0ED07C6069ED131BE97357D6B3C9D33F6A2B4BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320669Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:52.873{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47EE6F196FCB1E7EA6A30E4FC97D1C00,SHA256=EA7AEB87CE67309D9D2448CFB83452387644E6BF5996EED81ED6174B623E0C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320671Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:53.892{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B4E61B16779A6BA92D839E9D96184B,SHA256=3B72C5B55C5C1CC3CC250C20B845E6AFAA01AA914B61EAA596BCE5A7541C951B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320670Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:53.438{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52862-false10.0.1.12-8000- 23542300x8000000000000000320672Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:54.920{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C427F646D5E0943ED5354018C76B0FF2,SHA256=DEFA66726BF6B002F45C3008A6177E70A486555530A46A989B0052EA2460EE0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320673Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:55.951{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDE29B45EA25BE80EA8C2A24998390B,SHA256=4D28F62997078B0E9FB8BFBE28CCE0CB3B810A8AD943711D8D4AB235AA8C29D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320674Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:56.985{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56D005E2FEC10B7E1F61ADA99D39B5D,SHA256=44318487D1984F120E0B224740F5E6CCC6A7D7D816FFCB69F622F5654092214A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320675Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:58.014{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000855E3CBD935CAAB4EE16CCC3034D0,SHA256=8BD6F44A99011F4ED797E3E1D49454349C07718B5F73890E0667F8E535B61F96,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000320683Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:53:59.897{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\0C308890-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_0C308890-0000-0000-0000-100000000000.XML 13241300x8000000000000000320682Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:53:59.897{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\507F12B8-B6C3-4DDA-9A72-7DBC3B0C5E1C\Config SourceDWORD (0x00000001) 13241300x8000000000000000320681Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:53:59.897{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\507F12B8-B6C3-4DDA-9A72-7DBC3B0C5E1C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_507F12B8-B6C3-4DDA-9A72-7DBC3B0C5E1C.XML 354300x8000000000000000320680Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:59.313{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52863-false10.0.1.12-8000- 10341000x8000000000000000320679Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:59.233{6A74A0F8-743F-6025-3302-00000000A301}35484808C:\Windows\Explorer.EXE{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a4660|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800978D48D8)|UNKNOWN(FFFFF99A23EB4998)|UNKNOWN(FFFFF99A23EB4B17)|UNKNOWN(FFFFF99A23EAF1A1)|UNKNOWN(FFFFF99A23EB0B6A)|UNKNOWN(FFFFF99A23EAEE26)|UNKNOWN(FFFFF800975EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000320678Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:59.233{6A74A0F8-743F-6025-3302-00000000A301}35484808C:\Windows\Explorer.EXE{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a4141|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800978D48D8)|UNKNOWN(FFFFF99A23EB4998)|UNKNOWN(FFFFF99A23EB4B17)|UNKNOWN(FFFFF99A23EAF1A1)|UNKNOWN(FFFFF99A23EB0B6A)|UNKNOWN(FFFFF99A23EAEE26)|UNKNOWN(FFFFF800975EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320677Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:59.233{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF54e766b.TMPMD5=83D1AFAA8D0BB411E55056E5143B15D7,SHA256=C08B97D5CAEEEB6D77A5623B5198A7B8CFA5EFDB389F2615BBAD805E93020D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320676Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:53:59.076{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB4C5DE26A1D0A0963FB845212F036B,SHA256=F4D19A9BD841EC5CA348E3571C3DFDB34DC4C565B21DED8733352EFD95D20F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320686Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:00.920{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=594B13595C2DF8FD9E20496D7A4C3A29,SHA256=163531B898C44A580AE393AC93746781FB6E5F0B9222537843C815FEEAA18767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320685Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:00.920{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19C51C56E1FF4DC5CB0C2C53DBA622D3,SHA256=109BCAA9E4D3700366BC8B6302EB2C6B10291532CC79BEED1F837D4A51C4DD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320684Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:00.108{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D1FF96AA57893FB5C045D928E7F920,SHA256=90D892A729D6B9605BE9D0CD193EDDCB5AD05BD685FC7331B4986C5CC17211DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320693Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:01.104{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52866-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 354300x8000000000000000320692Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:01.104{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52866-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 354300x8000000000000000320691Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:01.098{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52865-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 354300x8000000000000000320690Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:01.098{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52865-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 354300x8000000000000000320689Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:01.083{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52864-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local135epmap 354300x8000000000000000320688Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:01.083{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52864-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local135epmap 23542300x8000000000000000320687Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:01.123{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4F34153CAF3F9CCCB072B7F7CC023D,SHA256=A145A8A5D0AE3E0406542BD9E1F68F4724432B668E6DA25D344D201AC9703B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320695Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:02.139{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7A9980021B4D62260C62E370DB4D55,SHA256=EF0A209C48772C2B491E00DB0D4AE1CDDEF60ABCCA7E817C79AD0A05FAB78D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320694Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:02.076{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320697Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:03.251{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52867-false10.0.1.12-8089- 23542300x8000000000000000320696Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:03.139{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E39954C13C23762184D353F53ED0182,SHA256=A57CFC74BEDA0462FAC8F7FBEFD52AEA4806BC0DC3DF2022E0DD0D8E9090E6EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320699Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:04.407{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52868-false10.0.1.12-8000- 23542300x8000000000000000320698Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:04.192{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C518A072F39DDD0EDA25D8F81C1B8C7,SHA256=BBEBF9ADD8B870E4CCD65A6CBE92B546B60D8103E6774AB870FD71305B6BA33A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320700Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:05.195{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253F8F0373B8E5938DEDC09E06327EB0,SHA256=701059569D68C8B7362059556DA42ECD68CC7150E66398BE2D0A2A54E63CE368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320701Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:06.232{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95A4F3707C69232CA23F2DF6F853838,SHA256=D23C46BC3AF2999368AE98A0645F981C77E7E9C2B298405DC0C300B70BEA3B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320702Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:07.248{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7849D7C0222CBB23E8C956BE4E885B6A,SHA256=96505386281FC8CE7CF043E552A811BDFBDB0396A0DE58B39A31A6211F507F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320703Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:08.279{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3FB5929202917AB09C61955E29E4D9,SHA256=FD78D518AAD21612EAAFA30D6FDA6CFBD3DA4F95B0DF07374A85662106C9E8F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320704Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:09.279{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8914CA9F1536999C292C9EFFD407CA6,SHA256=50DF01D23A06D2755268D5FC9984D9EC1264806DD79D017A7DD7136E4A9E18E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320705Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:10.310{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE23994700D09C827CE95A0C83B43B2D,SHA256=C4CF4327A59E5DF60AE0D6ECF115363A56BB475D1BA26D0A546429529D2718AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320717Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:11.779{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D095AB2C0C7654756E7AA6BE064F2BC5,SHA256=E93EADE0A99A4A44394E2A10ECB4A41ED734653680D697A821E883578EA486B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320716Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:11.779{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=594B13595C2DF8FD9E20496D7A4C3A29,SHA256=163531B898C44A580AE393AC93746781FB6E5F0B9222537843C815FEEAA18767,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320715Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:11.451{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CED3-6026-A72F-00000000A301}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320714Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:11.451{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320713Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:11.451{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320712Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:11.451{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320711Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:11.451{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320710Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:11.451{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CED3-6026-A72F-00000000A301}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320709Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:11.451{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CED3-6026-A72F-00000000A301}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320708Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:11.452{6A74A0F8-CED3-6026-A72F-00000000A301}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320707Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:11.357{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8585B520461444BE907FD84F1CE429DA,SHA256=6E51014EBEDE9417A4116B46784A410EF964E5C03A96EDE9645133FE1972E5C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320706Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:10.251{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52869-false10.0.1.12-8000- 23542300x8000000000000000320720Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:12.373{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C47CFB28F1529FF7766EB29070A7699,SHA256=DE651F0D844C9BCF8249702EEA65154BCBB7957891C7A5E7EDE6C309F495E6B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320719Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:11.970{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52870-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x8000000000000000320718Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:11.970{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52870-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 23542300x8000000000000000320721Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:13.391{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E2A44739F4BCC8452EEDCC5BFEACC3,SHA256=106115B116E9ED37FE8A3AD2F04DB7FC02D319732595F960DDB1C273D8A4F5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320730Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:14.420{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4C476096E301F79222625D9EFFFBC7,SHA256=B6BF25EF43122F0F8EE4DF07E0C420B704E4C6C5317187D72C42FEED5B2A04A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320729Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:14.326{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CED6-6026-A82F-00000000A301}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320728Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:14.326{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320727Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:14.326{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320726Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:14.326{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320725Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:14.326{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320724Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:14.326{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CED6-6026-A82F-00000000A301}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320723Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:14.326{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CED6-6026-A82F-00000000A301}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320722Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:14.327{6A74A0F8-CED6-6026-A82F-00000000A301}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320749Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.857{6A74A0F8-CED7-6026-AA2F-00000000A301}54807864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320748Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.694{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CED7-6026-AA2F-00000000A301}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320747Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.692{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320746Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.692{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320745Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.692{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320744Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.692{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320743Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.692{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CED7-6026-AA2F-00000000A301}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320742Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.691{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CED7-6026-AA2F-00000000A301}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320741Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.686{6A74A0F8-CED7-6026-AA2F-00000000A301}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320740Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.467{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7172C7AD549DC149429DC0460C19F27D,SHA256=6218FCC4BAE875F51894D790D93852EF309EC1AA9702B15C38373DBC03C51033,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320739Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.187{6A74A0F8-CED7-6026-A92F-00000000A301}60167520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320738Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.014{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CED7-6026-A92F-00000000A301}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320737Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.014{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320736Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.014{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320735Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.014{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320734Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.014{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320733Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.014{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CED7-6026-A92F-00000000A301}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320732Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.014{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CED7-6026-A92F-00000000A301}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320731Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.014{6A74A0F8-CED7-6026-A92F-00000000A301}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320768Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.935{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CED8-6026-AC2F-00000000A301}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320767Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.935{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320766Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.935{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320765Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.935{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320764Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.935{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320763Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.935{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CED8-6026-AC2F-00000000A301}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320762Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.935{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CED8-6026-AC2F-00000000A301}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320761Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.937{6A74A0F8-CED8-6026-AC2F-00000000A301}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320760Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.545{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789EDBFED48E02160229538140EBED25,SHA256=7BE2DFF539F2A4E307F400B281CA88988370420AA346989D84DECD89F0CA2D65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320759Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.513{6A74A0F8-CED8-6026-AB2F-00000000A301}1362100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320758Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.357{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CED8-6026-AB2F-00000000A301}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320757Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.357{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320756Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.357{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320755Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.357{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320754Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.357{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320753Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.357{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CED8-6026-AB2F-00000000A301}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320752Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.357{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CED8-6026-AB2F-00000000A301}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320751Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:16.358{6A74A0F8-CED8-6026-AB2F-00000000A301}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000320750Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:15.376{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52871-false10.0.1.12-8000- 10341000x8000000000000000320778Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:17.607{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CED9-6026-AD2F-00000000A301}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320777Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:17.607{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320776Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:17.607{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320775Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:17.607{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320774Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:17.607{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320773Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:17.607{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CED9-6026-AD2F-00000000A301}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320772Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:17.607{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CED9-6026-AD2F-00000000A301}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320771Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:17.608{6A74A0F8-CED9-6026-AD2F-00000000A301}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320770Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:17.560{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43E43F798DFECC28114B9703036DEA1,SHA256=02FF8B98A33096F7B0188FB41D23B761DECE91539239BCAEB992FE731DC19640,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320769Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:17.097{6A74A0F8-CED8-6026-AC2F-00000000A301}80887928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320779Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:18.576{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E94F6E243A959B13ED4E493467AD1E1,SHA256=972E23EC59C5ACC4803D35A19561F0FCCE872ED71BCE00B785AE0C64773BEEC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320780Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:19.593{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C395C515ED396F0955901D935F6442C3,SHA256=C96097AB5E76E4AED4CB75D5B4F9316ABB0A03A84ED68CC7A2202F2FEB996822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320781Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:20.607{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786507F77C9569B07CDB8044177691C2,SHA256=929C29670130BEC43864E997490B2D427C7C00CCEE888D4ED37495FE3038B2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320783Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:21.623{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8819C95EE125DB5A279FE067FA506E,SHA256=ABA785174193931DA429AA25F92A82C2B096B60BDF204F912832D26578DDF9D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320782Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:20.407{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52872-false10.0.1.12-8000- 23542300x8000000000000000320784Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:22.638{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CDCBC2101F746BA601E81AAF980A471,SHA256=0309815CD055C75F5B99B5E71E07101ED5C9B24902FE476BD42CC495F8D93960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320785Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:23.638{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E24D2EF530ACD874B815EE19AA21479,SHA256=1F1F00D8631C49A1226A3F71D77CBFD217BAA8A17FE983EFE9834BF36028B453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320786Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:24.654{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B2EE3A1E432D9A26CDD54CA7977634,SHA256=FA436720F6703558629F5BFC138DF5A18D7C45AB06EB5E8873E0C60F37C86AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320787Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:25.732{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FCF8A542E7518AD2DBDA50C7805415,SHA256=16616F2DF2C3B14D4F27E9DB07B59EBA3BAB8CC02718502E324223421CACD713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320789Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:26.779{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0584BF4F5515073494C6158CDAC61A6E,SHA256=1EE062933C7B98622F74566EA1FFCCE38597FD085330AE1B49164EB0F9ABB71E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320788Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:26.282{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52873-false10.0.1.12-8000- 23542300x8000000000000000320790Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:27.797{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC143DC7F350BA66907F0DE8C01A157,SHA256=C7483C68413F30E491DAE09AC574B3C1E6169A342923FC65BF5591D0CFE6CACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320791Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:28.810{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100BB8AD2456A83B051B7EA679317A0B,SHA256=214316FA67AF87B53D5548EB95C20C78F3074DB8FA73C72E34238BA5A635B610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320792Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:29.810{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C4938D7800A1F25B61A2992CA3C939,SHA256=BF09A476138130C117038D8417EE2CBF3AB9835DFAACBDAF528D7C371A4280EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320793Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:30.826{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F6E1C4B310BE973D3D27347181D649,SHA256=7F52878008FE315733D9D58BFE85E81981C911C97675A0F6B68FAC30012DB955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320795Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:31.841{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D7B58E437DC9815109CF6B19A31BA0,SHA256=108E8915A5398B46A3A34E099DFE69290420761DA5E8B51439236E2021CFDDDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320794Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:31.360{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52874-false10.0.1.12-8000- 23542300x8000000000000000320796Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:32.872{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F937CE166D04F1A6EFFA5E4E28972C79,SHA256=513922E69B9A4121879CD09ADAD04D6376591BDCF2CE0CFDC39429513C6BC6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320797Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:33.893{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B465A8F9B8CC73C934C037622E17DBA,SHA256=1BB4C90FDFECD9542BC77427C919B404B9674F2863BD32D07959F6BFE76BFDF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320798Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:34.966{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B37793B661FAC58708A57263D9C95C4,SHA256=46ECD0C52238E7B4EC766EA3FE69E127B3EBB9CD5A5B8DF7370CB61473CB9E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320799Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:35.984{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6546DF147C5E7132CE952A3127A63AE7,SHA256=6B53D777F7C9DE1557F17077334D423065E896DBE7C6DFDCF736078DEEAD3291,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320800Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:36.438{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52875-false10.0.1.12-8000- 23542300x8000000000000000320801Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:37.013{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2782988964E6C06A1F54B7AB31F8516C,SHA256=37489FEBDDC7C694301CC7BA5B5B82A81895EA5229D827382720C83A3B01666D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320802Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:38.044{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897A8792A1DACC72B79FD04FE348A644,SHA256=FB7F51E6BF6AFF01042792E1CDBC02B0D43B60330EC49022E35217EF16DC347A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320803Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:39.075{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F382A8321F936B8FDC2185988F3B6C,SHA256=0D1C92FC4F50BF8383EAF636B05F2EB69805713EB5028825A5AD68F6F4323922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320804Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:40.095{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3216A443DBE26894D83090FC067D4F,SHA256=F96AF2908E55B5AAA36B085577E405BD60ACB41EF2CF8D6E557A2C33E8B0EA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320806Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:41.747{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=97E4EE311D76A2BBF4C62703D4893CB7,SHA256=EA7C942239E075CAF9FDBD1C42DFDDCC57A0E2A63B5AED7E9E3FC35ADA982C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320805Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:41.107{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1A3C5BD6F4939EABA60C31943D7C35,SHA256=30060FDCE72D8D8DAF5A876A1BEBFED8EA0019882FC6A4443AFF8B836DD52CC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320808Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:42.282{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52876-false10.0.1.12-8000- 23542300x8000000000000000320807Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:42.107{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44242C6909304D3945FA932F68D96734,SHA256=A4CA8DDB795D5A4E52246EE4B63AD82BE16D76767344C6DE8C2CBAE7002B93F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320809Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:43.122{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5A9862ADF6DD39327F4C54ECE3C688,SHA256=BDF6DBE83447451F9C3E34B19A74579FEB0EE409F1F8D6C16114B6A473F3806A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320810Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:44.169{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCEFBAE15ADD822B517E670CBEC2444,SHA256=934CADA93FC5B259C6C040B1C3FC04190BDF5B078280E5D88DACC28D196F5C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320811Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:45.193{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28821DE7DA7775E6688B59FE4389CD4,SHA256=A572FF1F30428466EADC7DB2034061E4A98B0D9D9E987F643B6C7D9EA29500CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320812Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:46.196{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09964F116ED246330BFAF65D8B365357,SHA256=140F80BEE48099A0C96D7C6BABD8983081E071D6E43D4D8767CDD08B3DAE6A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320813Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:47.231{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83B3442A87C517987FC7A8E7E2B16FD,SHA256=FB468F76EEF68164D2955662953F4D9111B865D8E3CA18956A9CD24C1A0FBFF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320815Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:48.247{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B3C69F74C590824B47B9E6D250D06B,SHA256=7539A298FE0AA58639C9E2AE4D4E7EB0FF5C5D6F9D39B673ED4B1BEE00DB3BD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320814Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:47.313{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52877-false10.0.1.12-8000- 23542300x8000000000000000320816Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:49.263{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C848F9670F361B4E0C6D94157B6BD3A7,SHA256=3D485F9680D7A4468C707A95CA28D104C5275478FDDB3CA32A57D2D21600C49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320817Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:50.278{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBEA54166F046287E17CAA9BA09E033,SHA256=6CE5A3DCDCB68D5E326952D02FCD0265EFF9EF15553EDFD069D1BFD226A571D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320818Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:51.325{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0609C0E45135942DCCA73519FE01D00,SHA256=E6CE2AF7C4C00BFB3DCF6EDF1342862F5923E3D8005271D079D4AA0CD7C5B7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320819Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:52.341{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F4F3638F572EE555704CF53B326CA8,SHA256=D3860E9E64720220CDE0CF455580C98B7891248BB2F6DB291D2D40F4B1D2AB46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320821Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:53.356{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02AFDC75398A2D8130FA0A7740110018,SHA256=9FC3A90A1BF3AEDAC2635272202F74754622DB7FE3FF7744D69DD4AC75C75930,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320820Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:52.376{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52878-false10.0.1.12-8000- 23542300x8000000000000000320822Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:54.372{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA48C6ADE98282DFC35E4FFCA30C60EA,SHA256=1D554B2C4DFC454F7824AEB255A192E7BF241C5E2F96EFD7247D92D360079CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320823Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:55.391{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AE6D9AF1B518F37E260C2950DB67D1,SHA256=412C013E7BD19AD7652C49E281E38D79B38F1ED09952DB265E648C70214414F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320824Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:56.434{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004F1B7A3B2492C3860D09ED16CC349F,SHA256=C5BF529B0C7E8F80144AEB27540875900496436A984F99E4CB08C116F78FA7F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320825Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:57.434{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6778DD5E97B71166C6AB57AA32525C63,SHA256=63CA81A1EE520EF193BBA9F83B0B01397A5234387C2D5F5FC7A45B1674C06B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320827Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:58.450{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC0882F69902AF4D7AB20BB438C8D62,SHA256=6FAF331CC336463451EA33DC95ECE0B5918D11790001ACED732C4FDCF93DC107,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320826Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:58.250{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52879-false10.0.1.12-8000- 23542300x8000000000000000320828Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:54:59.483{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9420A3A06A944B9D2F6814E3C6FB62F9,SHA256=A069792332FC4FA31C68B32EE9AB39FAE8100734EFF91D202E825C648D5EF8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320830Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:00.559{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E56E6425D94098BF63DD9F841A2B06,SHA256=857931FC4644A30B8BBE93A94D84F134199FB8F481274DF394E74C473A794CC0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000320829Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:55:00.262{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d70170-0x907a7c0f) 23542300x8000000000000000320831Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:01.575{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867EBED98C16A260B60AD29B10445726,SHA256=1C9198B79BBE79B199A093E87AA876DDD7A3E02A7C53EE3FB4A43A60B04DD948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320834Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:02.594{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE81AD879CD74EE3D19326B43235FFCA,SHA256=AE3C8337CC9D1A061B6A620606168024244D88AAEBF551C769D083753F153D1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320833Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:01.437{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-444.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000320832Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:02.107{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320837Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:03.607{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3B8459CB052586BEE08CE1472C12B5,SHA256=2B9977265EB4882EECCAECF9D5D3518481B66DCF61B915693EB1DF5EE09770C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320836Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:03.282{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52880-false10.0.1.12-8089- 354300x8000000000000000320835Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:03.282{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52881-false10.0.1.12-8000- 23542300x8000000000000000320838Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:04.638{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37A8E5DE3D497438BABCCE40618B9AD,SHA256=DA2C487A94DE517BA29B4D39520CBB71E9AFF1581148E703EE5C450E5BF61F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320839Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:05.669{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96B2999AA7B1D39C5178A76441FB142,SHA256=5B101B850BD9B61DC0A565C184B2D756F7844AD63A3FB48B285A7C0E51A8D39D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320840Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:06.696{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11F07F3A474D2E021540137A24945E0,SHA256=A2E6CA55608E4EACE65CC484FBB702FB586B08756A6392A7049688B755004A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320841Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:07.732{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD989D98B226BD0B614EAEAFA385992,SHA256=1A16D5C9AF4DDE37F13703E38FFF6F49B468A4BB450221C66AFAEEE288443E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320843Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:08.747{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCB9CF9A278A7E78D1A45EC23A90DD2,SHA256=D4094C79BF2D13BD062E697CFB85ECF13BBF687A57C3CABEC877251B18E0AA90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320842Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:08.375{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52882-false10.0.1.12-8000- 23542300x8000000000000000320844Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:09.810{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CD83E9E123076993CB9E572842E15A,SHA256=74DE74342237C8DE4372C06EA872FBF2195037AA616272EB4D9E54FA6C7638EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320845Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:10.857{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63CCED063DB0F92E41E2926FD3AC50E,SHA256=7BBE24D6D52CE2DCD0FFCFDDF2FAE8743A6736C23C0EE19F3854080FDCB88C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320856Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:11.872{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=780E5402FFEA04C75797423299935FCF,SHA256=9BECC6AD9C0D297FE0B859E162D12941A5421F24E331089527DA58577C42C616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320855Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:11.872{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D095AB2C0C7654756E7AA6BE064F2BC5,SHA256=E93EADE0A99A4A44394E2A10ECB4A41ED734653680D697A821E883578EA486B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320854Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:11.857{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483425617E217850A0F6FAE2E9AB74CA,SHA256=34EA8820F1A4B135DB6E8DB85580D24118E9DC800AE9359FE48B9249CFE0BAC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320853Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:11.450{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF0F-6026-AE2F-00000000A301}7296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320852Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:11.450{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320851Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:11.450{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320850Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:11.450{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320849Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:11.450{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320848Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:11.450{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CF0F-6026-AE2F-00000000A301}7296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320847Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:11.450{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF0F-6026-AE2F-00000000A301}7296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320846Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:11.451{6A74A0F8-CF0F-6026-AE2F-00000000A301}7296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320859Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:12.891{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62BF4FFA41DFA409E33079033FBC5124,SHA256=8406E12C9C36085E549FAF0FF6E058258A4592443BF048695F403A0650565357,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320858Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:11.985{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52883-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x8000000000000000320857Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:11.985{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52883-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 23542300x8000000000000000320861Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:13.966{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815744AD03B16CF32B35995FB8F59C5F,SHA256=0DD6C464E4D29E56D35A3B5383BB41CB353D4B9468725DBE4D8384FF1ACAE8B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320860Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:13.438{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52884-false10.0.1.12-8000- 23542300x8000000000000000320871Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:14.987{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4822B80C0A854379FFF7AFDC83AD7A,SHA256=77DD01EB0C39FF4FE27710CB9E324D0FFFD6A6733CAC93FF367C2BC460A539C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320870Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:14.489{6A74A0F8-CF12-6026-AF2F-00000000A301}53806208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320869Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:14.325{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF12-6026-AF2F-00000000A301}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320868Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:14.325{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320867Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:14.325{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320866Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:14.325{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320865Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:14.325{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320864Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:14.325{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CF12-6026-AF2F-00000000A301}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320863Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:14.325{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF12-6026-AF2F-00000000A301}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320862Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:14.326{6A74A0F8-CF12-6026-AF2F-00000000A301}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320889Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.841{6A74A0F8-CF13-6026-B12F-00000000A301}28447828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320888Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.693{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF13-6026-B12F-00000000A301}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320887Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.691{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320886Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.691{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320885Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.691{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320884Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.691{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320883Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.691{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CF13-6026-B12F-00000000A301}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320882Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.690{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF13-6026-B12F-00000000A301}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320881Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.685{6A74A0F8-CF13-6026-B12F-00000000A301}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320880Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.185{6A74A0F8-CF13-6026-B02F-00000000A301}68763540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320879Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.013{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF13-6026-B02F-00000000A301}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320878Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.013{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320877Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.013{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320876Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.013{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320875Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.013{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320874Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.013{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CF13-6026-B02F-00000000A301}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320873Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.013{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF13-6026-B02F-00000000A301}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320872Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:15.014{6A74A0F8-CF13-6026-B02F-00000000A301}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320899Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:16.513{6A74A0F8-CF14-6026-B22F-00000000A301}58925516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320898Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:16.356{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF14-6026-B22F-00000000A301}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320897Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:16.356{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320896Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:16.356{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320895Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:16.356{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320894Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:16.356{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320893Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:16.356{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CF14-6026-B22F-00000000A301}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320892Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:16.356{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF14-6026-B22F-00000000A301}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320891Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:16.357{6A74A0F8-CF14-6026-B22F-00000000A301}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320890Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:16.013{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADBA98C79D3033282061F260DA1B7AD4,SHA256=7B6D9DE1D8C453B09B084389FAF2734037CC812B420FFC068559C6E22A8F0630,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320916Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.716{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF15-6026-B42F-00000000A301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320915Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.716{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320914Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.716{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320913Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.716{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320912Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.716{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320911Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.716{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CF15-6026-B42F-00000000A301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320910Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.716{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF15-6026-B42F-00000000A301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320909Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.717{6A74A0F8-CF15-6026-B42F-00000000A301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320908Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.028{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF15-6026-B32F-00000000A301}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320907Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.028{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320906Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.028{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320905Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.028{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320904Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.028{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320903Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.028{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CF15-6026-B32F-00000000A301}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320902Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.028{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF15-6026-B32F-00000000A301}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320901Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.029{6A74A0F8-CF15-6026-B32F-00000000A301}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320900Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:17.028{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716AB11BAED8BF6843C415C5DD10A15D,SHA256=F783C954FEFF80057FECA597C1920038A2F302F2FE34425937D21E7BEAF6F55F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320917Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:18.044{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE860CCE2FC51F29505D50F17F7312B5,SHA256=D7F0F87E9978D742B264F2A4D7EF77A0BB0F93DBE286A9CA6CB0C45F6F399D6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320919Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:19.265{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52885-false10.0.1.12-8000- 23542300x8000000000000000320918Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:19.075{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656845B7B0AC5E089655C5CC61AB6D59,SHA256=29725A2E136159BEF5CE96FCFAD829E44B1C5EFBDC36F65B3D7279EC1314C483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320920Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:20.096{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6961546F25D57243CF5F6BBD99F1685F,SHA256=3B2E3D4CF95EFB515851294B208347A1424221DDF4278A688E4E11602EF1E13D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320921Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:21.106{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02C6C65732BB13148064C8541A3DC7B,SHA256=A9B7CE50B5416E555E97F80C94780EDD1F747CAB3E6C3C28915167BAC9A75C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320922Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:22.138{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E6C08936FE4A77408F8D08FBCF4144,SHA256=8AD3F22F770E5D59CA1601951874A8DD433BD223A470F609C262FB9963CBEA72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320923Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:23.153{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8DF5B829C665423C7B6E626F30380E9,SHA256=C2A4057CA286B7A286714285633E31B831430727F194D5E5CE61C24FE689FCDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320925Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:24.282{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52886-false10.0.1.12-8000- 23542300x8000000000000000320924Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:24.169{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCBFE52952B24F7714D730B07F14B99,SHA256=3432A28CF5B04DC59BE168145BBECC3EE8D37C3631C466256934C4B76C4B7BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320926Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:25.169{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B0BC3884607FFF8BD1B841D19B92FA,SHA256=45138A9B26DD7A2A6D048DBD551E435512C17191C07EDB8B234E8B567CED3D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320927Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:26.186{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C660349DEECA9CFCD7A1F0A0007BA81,SHA256=415559145D38C16AC0C980E1BCC0310E7147C11FD05C045314CA0A4FBC1E8F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320928Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:27.215{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F7D45744CC8D395C83CA508AE5D6E3,SHA256=A07BDADEEEA20D631155B80E3DEDAC2137349BAD714C4819DC4F6F8C9010ABD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320929Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:28.247{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5C83CFB8E99CD2DFF91E2C0DE2E976,SHA256=9DBC56C99BB3D0934353704F1297BBD0A518E3BFDB7349C509478892836DC873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320930Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:29.262{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6D4E905A4E9B75DD0278A6F59A587E,SHA256=DE3340B1216081EF0AF3DC2BC06C48E7D088325EF54D8E37F701F29265D89E68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320935Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:30.465{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320934Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:30.465{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320933Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:30.465{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320932Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:30.278{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C639EE07EAEC367CE6F6EE1E6C8C9A3,SHA256=1DE02CDE25B63CA394A73EFA2A403544203B625BEDD6306C4BD8A4611545C1CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320931Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:29.375{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52887-false10.0.1.12-8000- 23542300x8000000000000000320936Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:31.309{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B76B5CFE22D412A0281EE3C2085E174,SHA256=0ECB812B344D523C0B21697216FD66FAB10FF694B87FFD217B1B9CED14C7F67C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320937Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:32.340{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D71B1752914F58FF102DECE67FAF1E,SHA256=CA7B69F995B201A7C0094209C6C384F43B650E4F09344FBAA16300C92424B32E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320938Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:33.356{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BAE654AC81D181A85B3E7082946CB4,SHA256=7A26988293DA941CD88701AC6BB52DE0985E53F668EA3AB0154647D99F83C732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320939Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:34.372{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CCDD378989DE80EDA4CCBF795C7A7CA,SHA256=C3710D627875D9BD13BA37E71D5B48F72C7D445C8EA0665C50562DD403661000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320941Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:35.390{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD85A7750423CD0B24AEB7F6886312B2,SHA256=71589D243C0C89F8688D3C98F5EDC56028ED6CEFCCE2283D51E16F331AB44E71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320940Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:34.437{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52888-false10.0.1.12-8000- 23542300x8000000000000000320942Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:36.418{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABC9B0C9F45F566296DFDBAE0D42326,SHA256=C0B8C3ADCE10FB877F3F8FA0940E65CCEDFC858558CCF21DB24D48C016236EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320943Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:37.483{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C056ECD859CADE28E10944E04F920B2B,SHA256=43E3732A5098B26683BC7574AAA68E3FE929B48365864FD2C42386BEBF613FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320944Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:38.512{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7439C5BC6A2346A6396F3519423A6FD7,SHA256=855CD042DCACB72A0AA40139729DF43843B860A4AF57CED81A76BC3C52460433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320945Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:39.543{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808438B0A2E71386BF6C320D65F3F1B6,SHA256=326AB46A24F8CC3579EE93B8B46935ACA2BC5F794ECB6F60DA2732BEDF34846C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320947Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:40.559{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07011B7CAC416A986EAD952C65602AE6,SHA256=47FABE56F3FE21EF8A20A23016D4CC02738CC7057991AA542F97E43A97274FD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320946Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:40.328{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52889-false10.0.1.12-8000- 23542300x8000000000000000320949Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:41.762{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DFC0E5A6B9E92817E9A2BAC6541D2101,SHA256=09A2C05F2424850167DD9DC7D74FE9F5FEBF35E141B3123D4706133BD7BC53FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320948Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:41.596{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8AC5B3959E3345F1F39B50AE3E91E1,SHA256=CC4E6B025B28E282A8769E23CD838937C97B0F11AE656C2E7FDF1C5E448A3610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320981Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.965{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B502675502B252C6B564460299C17FDE,SHA256=66C366C2FA113DC6E5825A1F1EA6B8031C960C7EB8209332714F2222D7BFA6B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320980Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.592{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320979Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.592{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320978Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.592{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320977Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.592{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320976Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.592{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320975Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320974Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320973Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320972Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320971Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320970Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320969Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320968Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320967Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320966Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320965Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320964Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320963Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320962Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320961Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320960Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320959Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320958Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320957Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320956Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320955Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320954Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320953Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320952Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320951Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320950Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.591{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320990Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:43.985{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C12B3F24038BD4F1C7D7FBB21E39FC,SHA256=F03951D1AE04249B5704EFB2E15F2C3AB2748BE99D6920119B6AEAAB35CCD32C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320989Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.474{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-444.attackrange.local53domainfalse10.0.1.14win-dc-444.attackrange.local56346- 354300x8000000000000000320988Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.474{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-444.attackrange.local65535-false10.0.1.14win-dc-444.attackrange.local53domain 354300x8000000000000000320987Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.474{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-444.attackrange.local53domainfalse10.0.1.14win-dc-444.attackrange.local65535- 354300x8000000000000000320986Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.473{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:7001:0:c8c0:f8fb:7e6:ffff-65535-truea00:10e:4439:4b60:7404:488b:4368:4889-53domain 354300x8000000000000000320985Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.473{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local53872- 354300x8000000000000000320984Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.472{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local65535-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local53domain 354300x8000000000000000320983Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.332{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-444.attackrange.local138netbios-dgm 354300x8000000000000000320982Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:42.332{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-444.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x8000000000000000320992Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:45.406{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52890-false10.0.1.12-8000- 23542300x8000000000000000320991Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:45.012{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EFCE3D0B72C88DCC476054FC516ABD,SHA256=FCF987E6BB35BCD07E9EB4E03CF67927E7D21A1A6DE462E1498586C17B18B0F4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000321003Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:55:46.684{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000321002Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:55:46.684{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05501a28) 13241300x8000000000000000321001Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:55:46.684{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70168-0x4a2b486d) 13241300x8000000000000000321000Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:55:46.684{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d70170-0xabefb06d) 13241300x8000000000000000320999Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:55:46.684{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70179-0x0db4186d) 13241300x8000000000000000320998Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:55:46.684{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000320997Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:55:46.684{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05501a28) 13241300x8000000000000000320996Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:55:46.684{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70168-0x4a2b486d) 13241300x8000000000000000320995Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:55:46.684{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d70170-0xabefb06d) 13241300x8000000000000000320994Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:55:46.684{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70179-0x0db4186d) 23542300x8000000000000000320993Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:46.028{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A71652FA5AD8643D9B4B6D9273AAA5C,SHA256=F0D7AAE9841476EFB89A5E2F065041FB0480E200FEB2B0F729D273E8B106FDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321004Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:47.028{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48597728F948D22D331EFE805BC36C2C,SHA256=D59732FCD9FF4E3E30EFC6A07D1FD69A9DB0EEAD14A973DC0AD1952366A6ED60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321005Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:48.043{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AAE67087557CD85432EBC57F052FA3E,SHA256=C3CC72C6113DF73D05546DFF8694FBCDC87F69F43485C93BA58C1AAE47DFF358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321006Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:49.059{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3EF0D86C254D86FE29F35BFD7F5808,SHA256=58C8086A3B3A253D9418B17BED6E8D930AD6926E8D8E50C2B8E3CEBA15526306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321007Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:50.093{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E74BEC00EE875DC455AF8B7B30A5FE,SHA256=1953ABBC522991DF9495D07302A00CB1F83B292E01A6DAE2DDE0DC9893EF76BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321009Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:51.281{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52891-false10.0.1.12-8000- 23542300x8000000000000000321008Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:51.106{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F2A0EFCBEAF0AEE66784451CFA784C,SHA256=E25712721EFA06B72183763926B11B2C64F3D36CA31D18929ECB7A62A2BFF769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321010Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:52.152{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51FBB7F67A801AB963A0836F6429F34,SHA256=D5C6896DD36CBD37A82959761E5027E2BCA80F85D587035007A960866F8CC389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321011Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:53.188{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E609BBC7FB1910653B12CA9C98CE0538,SHA256=D269B2D300D1201004BF0285820FA796B237A458C0BD7DD88A0A00B489A68B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321012Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:54.191{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E939E522B29584A4B618332E90D733,SHA256=446632E827DF9259E2E5B549CAEAAB03F6063BCFB9DCA8C179884CC536D4E123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321013Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:55.195{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A21DB31C2E5DEF2AED10F98E5D23C6,SHA256=52CC8BA9C3D03A4AD1226C1DFD0015CB16ABBEDCF5F5626E5E925D6161A511E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321015Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:56.343{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52892-false10.0.1.12-8000- 23542300x8000000000000000321014Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:56.230{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC6606A3083CE8AB63BFA1FF7ED6907,SHA256=A2143F26C02AB40D820093696C3DAA1017CB098C8DAD2C531EE597A886C4739E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321016Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:57.230{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26085597A24F3F8BFFAD483C30C7F94,SHA256=3A1D1E7E65C6F7065F552BAEB66E6615BF4E5AF54CCA5C4F6F6AB7A5963E8B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321017Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:58.246{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F96F77D90592C86B9EBA2FB248A0AB8,SHA256=46224DF9DB06361F9DE9CE0D68126D2A3DD4F79E4864DFC48B79A53002E172A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321021Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:59.262{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFEC739AD644F7AAACB9435C97ED2AE,SHA256=781085E7FF927822241F3E183F931CA855128322B5E0AD94A841D1DD0D921AA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321020Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:59.246{6A74A0F8-743F-6025-3302-00000000A301}35484808C:\Windows\Explorer.EXE{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a4660|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800978D48D8)|UNKNOWN(FFFFF99A23EB4998)|UNKNOWN(FFFFF99A23EB4B17)|UNKNOWN(FFFFF99A23EAF1A1)|UNKNOWN(FFFFF99A23EB0B6A)|UNKNOWN(FFFFF99A23EAEE26)|UNKNOWN(FFFFF800975EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000321019Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:59.246{6A74A0F8-743F-6025-3302-00000000A301}35484808C:\Windows\Explorer.EXE{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a4141|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800978D48D8)|UNKNOWN(FFFFF99A23EB4998)|UNKNOWN(FFFFF99A23EB4B17)|UNKNOWN(FFFFF99A23EAF1A1)|UNKNOWN(FFFFF99A23EB0B6A)|UNKNOWN(FFFFF99A23EAEE26)|UNKNOWN(FFFFF800975EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321018Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:55:59.246{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF5504b3a.TMPMD5=83D1AFAA8D0BB411E55056E5143B15D7,SHA256=C08B97D5CAEEEB6D77A5623B5198A7B8CFA5EFDB389F2615BBAD805E93020D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321024Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:00.277{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D12867C5AA51F0DC912D46ED400AA53,SHA256=6CB23AE611FE91DED66EAE75F43800BB5F3E5789902214B4FD9023BAE130D25B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321023Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:00.185{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321022Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:00.185{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321026Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:01.375{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52893-false10.0.1.12-8000- 23542300x8000000000000000321025Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:01.277{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1F6092940B781435D9C07AF931CA5E,SHA256=8E409D5400BA14C607EE00BB23CD8C3D13C915FE3D7A3B8CF867D044DA45B3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321028Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:02.295{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F304DE267608AB23E942580837F4D35,SHA256=5A1F713FFEE85CB5CB9BB94897EC0E32B8732FF13E3DC68844FF9FD378250899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321027Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:02.137{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321030Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:03.312{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52894-false10.0.1.12-8089- 23542300x8000000000000000321029Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:03.308{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6FC2245B2AC50D9534D84B6575067E,SHA256=C010667B4F8BBE86774474D4C22EC10FA1017ED4014DC01CD74C54FB267E72A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321032Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:04.989{6A74A0F8-730A-6025-0B00-00000000A301}8606660C:\Windows\system32\lsass.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000321031Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:04.324{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C4DDF1992CB78EA5BCF34EBDC3E1E3,SHA256=E09473630D0458234CCE5EB4094A1DEF5E29F3607ADF3801A770D2DA6224E9F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321039Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:06.072{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-444.attackrange.local52896-false10.0.1.14win-dc-444.attackrange.local389ldap 354300x8000000000000000321038Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:06.072{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52896-false10.0.1.14win-dc-444.attackrange.local389ldap 354300x8000000000000000321037Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:06.065{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52895-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 354300x8000000000000000321036Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:06.065{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52895-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 23542300x8000000000000000321035Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:05.895{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FF887A30E3F984BFEF7D1C7B344567F,SHA256=840451CB4BCF56D33EA6D5C6F4AF154FF831E61DB6E98111BDE4F6B282726108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321034Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:05.895{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=780E5402FFEA04C75797423299935FCF,SHA256=9BECC6AD9C0D297FE0B859E162D12941A5421F24E331089527DA58577C42C616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321033Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:05.340{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BE648661CA543892CD646212CDC748,SHA256=68C6D1E8700DC0DCE28C53BF9AC2D3D6B915FECA6D3187B38C6F209DBFDA8084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321044Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:06.371{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0031315806224D125B55F7C0A2E198,SHA256=5697C90CEFA5518858BA89C4330E1DE2F72BDBDF62EEC863D2DAC4DEB4D5E4D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321043Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:06.175{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52898-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local49666- 354300x8000000000000000321042Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:06.175{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52898-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local49666- 354300x8000000000000000321041Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:06.174{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52897-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local135epmap 354300x8000000000000000321040Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:06.174{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52897-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local135epmap 23542300x8000000000000000321048Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:07.390{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940BB10E8A6872B8834D4517AFF672AB,SHA256=312DE71B0807CA40730D72C9456AEB5D80CD46298A9028AEFA636F9EB9753884,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321047Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:06.437{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52900-false10.0.1.12-8000- 354300x8000000000000000321046Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:06.178{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52899-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local445microsoft-ds 354300x8000000000000000321045Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:06.178{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52899-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local445microsoft-ds 23542300x8000000000000000321049Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:08.418{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7508BE2DE26C59DAD08D8534BC9D0F,SHA256=1CEB1C8B000539725764525B4C7101E2BEDB85322E2493269AD4E0D82C3728F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321050Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:09.433{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578CB18A12FF7897A3CF484AD06EB355,SHA256=A82EAF5258DBC32405C4899576A8002841A6FFBCFF918E9C760906082ED116F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321051Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:10.449{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A52D346E3E9C7975A15E81FB37E2CC,SHA256=A535E3722B57419F9677B2015A10A37729AF2635DCD05F045EFA2E647BFAC548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321062Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:11.808{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3448C4437F077C149853C287E53CCED9,SHA256=9B2390C7804CC6DA78E5BEB73286DAFBC14DB0BEE89B2E3B55399778BE3C9D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321061Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:11.808{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FF887A30E3F984BFEF7D1C7B344567F,SHA256=840451CB4BCF56D33EA6D5C6F4AF154FF831E61DB6E98111BDE4F6B282726108,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321060Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:11.449{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF4B-6026-B52F-00000000A301}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321059Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:11.449{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321058Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:11.449{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321057Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:11.449{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321056Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:11.449{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321055Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:11.449{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CF4B-6026-B52F-00000000A301}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321054Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:11.449{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF4B-6026-B52F-00000000A301}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321053Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:11.450{6A74A0F8-CF4B-6026-B52F-00000000A301}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321052Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:11.449{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993A9D24541EF3D9457E42C8D40EB6A0,SHA256=7E37A83F98EF9AADF4F6B2E3100639EEDD5F8D87E13A7C7ABBC14549131D7B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321065Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:12.487{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6DBF1FF5AD5F78117C3E811F43F714,SHA256=222CF8E7FE43A6007F203E358AA1BAE2AB3AE7909B0DC0D024A07CC5BBD8AF03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321064Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:11.985{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52901-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x8000000000000000321063Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:11.985{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52901-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 23542300x8000000000000000321067Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:13.511{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620EDC45D5919AEE16A895F50BC20D58,SHA256=F7075175AE6249D3E18B48B01E5954C9D36C2764CAED0D52E2BC81DB79AEE1EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321066Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:12.249{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52902-false10.0.1.12-8000- 23542300x8000000000000000321076Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:14.542{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A83A52675F6D331CF5A981FB96B84DB,SHA256=04D325F38AD906A83AB456DE92071C9D34DB3D68341A8CE072389DA2DBD0DF2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321075Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:14.324{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF4E-6026-B62F-00000000A301}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321074Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:14.324{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321073Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:14.324{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321072Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:14.324{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321071Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:14.324{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321070Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:14.324{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CF4E-6026-B62F-00000000A301}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321069Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:14.324{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF4E-6026-B62F-00000000A301}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321068Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:14.325{6A74A0F8-CF4E-6026-B62F-00000000A301}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000321095Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.839{6A74A0F8-CF4F-6026-B82F-00000000A301}51884012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321094Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.692{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF4F-6026-B82F-00000000A301}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321093Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.690{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321092Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.690{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321091Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.690{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321090Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.689{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321089Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.689{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CF4F-6026-B82F-00000000A301}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321088Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.689{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF4F-6026-B82F-00000000A301}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321087Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.684{6A74A0F8-CF4F-6026-B82F-00000000A301}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321086Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.558{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6D17A81B3137DAC128DC97F030BD38,SHA256=343440345F8AAC2C94EB346932A2EE6D5EB9A88E85C7EB0397EC41C7A7BBC1C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321085Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.185{6A74A0F8-CF4F-6026-B72F-00000000A301}73966740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321084Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.011{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF4F-6026-B72F-00000000A301}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321083Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.011{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321082Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.011{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321081Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.011{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321080Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.011{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321079Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.011{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CF4F-6026-B72F-00000000A301}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321078Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.011{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF4F-6026-B72F-00000000A301}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321077Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:15.012{6A74A0F8-CF4F-6026-B72F-00000000A301}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321106Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:16.730{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3448C4437F077C149853C287E53CCED9,SHA256=9B2390C7804CC6DA78E5BEB73286DAFBC14DB0BEE89B2E3B55399778BE3C9D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321105Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:16.574{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D786C012F5308A95EC253AF3A654A5E3,SHA256=CF5ECD82E11CDB385A2C97A92C01A7FA8C64B7F85F017B6E41986DB1FECFCF32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321104Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:16.511{6A74A0F8-CF50-6026-B92F-00000000A301}2244952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321103Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:16.355{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF50-6026-B92F-00000000A301}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321102Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:16.355{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321101Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:16.355{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321100Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:16.355{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321099Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:16.355{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321098Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:16.355{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CF50-6026-B92F-00000000A301}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321097Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:16.355{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF50-6026-B92F-00000000A301}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321096Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:16.356{6A74A0F8-CF50-6026-B92F-00000000A301}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000321124Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.824{6A74A0F8-CF51-6026-BB2F-00000000A301}74688104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321123Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.652{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF51-6026-BB2F-00000000A301}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321122Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.652{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321121Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.652{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321120Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.652{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321119Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.652{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321118Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.652{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CF51-6026-BB2F-00000000A301}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321117Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.652{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF51-6026-BB2F-00000000A301}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321116Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.653{6A74A0F8-CF51-6026-BB2F-00000000A301}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321115Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.595{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9732CE38FBFBCC61E431F8DCC199CB,SHA256=62BB7AA5D29CEA7DA968FC81B77D8069477C1D65085827CB2EF293698E345E22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321114Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.027{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF51-6026-BA2F-00000000A301}7524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321113Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.027{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321112Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.027{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321111Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.027{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321110Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.027{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321109Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.027{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CF51-6026-BA2F-00000000A301}7524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321108Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.027{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF51-6026-BA2F-00000000A301}7524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321107Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.028{6A74A0F8-CF51-6026-BA2F-00000000A301}7524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321128Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:18.652{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C713518145CAB54D9CCFC1252BAEECC,SHA256=18980395D3617D036CB5D335EA2D9158DE319FBDFA8823A7E4284387BE3280B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321127Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:18.542{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8C8DBDA7E7A4FA0E020AEACC61DA5C77,SHA256=128DC19DF59795280C7DC7D2DE7CD8B8EACFC4780EB79CE5B66DB474A10756F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321126Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:18.542{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E0FFE7BCC62A405D298FD32CDE0DDA5F,SHA256=347045AE97A571A0D8BF4581DFD07497A0C9EDE01DB0BFF7080B0DACDC874140,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321125Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:17.312{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52903-false10.0.1.12-8000- 23542300x8000000000000000321129Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:19.685{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122F79F6AF3FEE196EB6257ACE2654D4,SHA256=DE210A211A431BC4E21BEF06260BB9EF0A435E0641FA8C1D33B1D8005AB7F4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321131Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:20.714{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5E19D89B3911E29072E9C619DD6711,SHA256=608AEC09F70024C64C8060D906A574C4E202E3A0669F83B980EA995DC8777252,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321130Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:20.511{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321132Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:21.745{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6311FFD87F6A0930D44E26293A7E7A,SHA256=8BBC2C25EEB4038A6EA862D4EF1D6111D35ECD9694F1031979D8334494B471B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321133Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:22.745{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE027052FE0C823C08EDF2B5C1AF96A,SHA256=E974E19C6BA5C1D529E688BDA422789FFAD2B2E8BEE76FCB5129F3951DC1E95C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321135Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:23.761{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AAD7272DA8DFA2B73B79E7451A43509,SHA256=2EA0B5D9B1B7B4C3D69E8673104BCA8CC328477BCB743ED65D30C5865D32C1F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321134Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:22.405{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52904-false10.0.1.12-8000- 23542300x8000000000000000321136Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:24.761{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50935779895FD572C5E47E37AE7ABDA,SHA256=E732D873E6A71884FA21AD3D54F362D0CA893AD371521CF6E3956A5A08DB1A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321137Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:25.794{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CAE0B692410DDD735DACBF38FE04C0,SHA256=08142A1B069038A1FD16ECFD566CE5193D6788A60696A64856A8AE048F4A043C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321138Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:26.808{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335DF4E5CCC965D42D3A734272448F17,SHA256=F53DAE53BB7DA8EFDF41524CE378BCDD65FD7DF565D4663AC9BE55B2D066FD3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321139Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:27.823{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FC4DEEC2024E60F7540EDD81D398A6,SHA256=F59303374F82C55D02241D2C44891ADEDEE17D39725EDA3045A1CB25DB99F7CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321141Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:28.839{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CBC923F26691A492EB2F93084D966C,SHA256=56DF222FA6D7B6A1DEE626C6DD80AC58AF3D0165C2A514802AF427224487292C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321140Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:28.249{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52905-false10.0.1.12-8000- 23542300x8000000000000000321142Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:29.870{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2816952A498C658C472EE421B7E63B,SHA256=47FC1BFADDE8632D941C05166C32743969C8EBE47BD161DB0353CB4631CE4BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321143Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:30.888{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39466E652410F4E9EF3B572F2C3B007,SHA256=27F664F4150821F6A39CE6329673F2C81A4BEBF2AAAAD7AF37E2C6B4EE4DA855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321144Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:31.948{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCA1FF33E4F37B874D51EF5887D2B90,SHA256=394260B903C14AA9599100B1B54987AF68F74CFD024E5C1CD8F041672E6BD87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321145Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:32.948{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D46B912D74DE4982EA7CBBDE5B21C10,SHA256=1589C1487088E7753A67B387AA180E3FD0D519D0EA663DCE60EA5CCE57285942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321147Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:33.983{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E63E47FA217903BC77CCB6C905CC57D,SHA256=E0111147B604AFCAFA4B0E9196954151811C8F4656CDAEE85F56F63004E467B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321146Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:33.374{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52906-false10.0.1.12-8000- 23542300x8000000000000000321148Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:35.042{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5321A8E45EEDC1101A5B8E4586F779,SHA256=BB9FD64491ED00BD78099AAE3A94D350B90B52D3E84CB3815B3C1F0D444E4BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321149Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:36.042{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6C2A70FFF570A1AF9B459335AC6F6BD,SHA256=F74F7911DD5AC0E241FC70A75AF103BCF61644DCD00224FE1A6520EBF0B16BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321150Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:37.073{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A173F34BD852F9DF5C3FD952D785B14,SHA256=D4E4F04A1EA900DCF4B17A42817FC22B87B4BE432EDF779D5FC93A5290EFCD40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321152Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:38.436{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52907-false10.0.1.12-8000- 23542300x8000000000000000321151Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:38.104{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B193D388E56B2BCC55CE2F3375A017AB,SHA256=9DD427802745EAF7B5027A2AB51DB7051E3D347735FF30F979B561BD8D27E560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321153Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:39.104{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5304C12EE3B040EE552012020743F486,SHA256=882739508C3D98ED0FD46AF0FCAC62F70245375BE6FEF88D5AEF329E403906B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321154Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:40.136{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB74F3F3992C8B6F5E4833EB07716DC,SHA256=07B00AF8C924E5A3DE78C18E3E5C7A5702493F008844B4F1BF97BAFCC2641EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321156Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:41.776{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=560A343BB255310265B40642C332EC17,SHA256=BB4FA7A030CB297F6B34A512776BE550BDFE18BB17B04728CA24E560B35BF2B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321155Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:41.151{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBE531B6641C1AAE518E86434815E17,SHA256=FDE158225648ED8F6A39069B387BEE0B5CD4EE75AE2F1BA35ABDDC1DBAB55836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321157Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:42.167{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A63DFD8C40B0CA0A7714CC3DCDDA5D,SHA256=D43A65FF44B2A6F0355826C7C9DE182BEEBEF5BC00777FBD7D19DB5ADCE799EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321158Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:43.185{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8374E882BE9E4FDB0DA1810A24351CD2,SHA256=23CCAE74675A375A82C87B85DB0466E44DD71CCD2DABD3F8CFC7ED2186282E0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321160Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:44.327{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52908-false10.0.1.12-8000- 23542300x8000000000000000321159Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:44.194{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12A56680BF9633FBFBC159A01F462FD,SHA256=BB43C6A7C1139BB2EAA4BBEA0769F7B65A17B6B54154AA571C6416AA3F31D3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321161Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:45.245{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF11AD168904F5AC9F1FB17382C0D40C,SHA256=6206AC21865014D70C29EF03018025441F5E2D0815B891A9C237BEF16132D830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321162Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:46.260{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE11B01E66AFE709A948B13F3167F8DA,SHA256=5EEB9E620BED11437C7E0A52FA753D455D5D078648979AE2F0D608F42693A3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321163Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:47.276{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830915793E164C6CAB5E0D6FC4BAB5EB,SHA256=F8D600D4466EA5267487B3F2C49F86A16504E9AE36C271A63A165E1339DA003B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321164Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:48.294{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D62C2EF87E398D09C79FE5DEDFAF864E,SHA256=FC1B61842D61E243EA95DCFA1A9AACD01DAAAA3596DD24EF349164183A98EC08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321166Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:49.405{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52909-false10.0.1.12-8000- 23542300x8000000000000000321165Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:49.307{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937EAB4AD2872287D016449CEB055E82,SHA256=2AB75A8420C1F9B93DD4C2970E5AF22B86881AD3BBC75281416ED13B36594973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321167Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:50.307{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9DDA0560FF1FEF91119F402E9387A5A,SHA256=0C1B25ABAB151EEC4A493F37BF09D4434A5DD1ED9FF9A3F94FEAF1B41F93B53B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321170Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:51.713{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321169Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:51.713{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321168Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:51.323{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4476130AD56D83C82259BB35913C1401,SHA256=21127B5009DC1BA1C9A7DC896BBFB5AEA7043A3FC1CF51A9CDE253DC05F93499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321171Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:52.354{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B87BEFA9C48DF6A1692380B673A97F,SHA256=4F433B1789C4ABA8EFC3CEF5F1F9F5DBD8174A6C51953319383B5F810FBE2CCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321172Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:53.370{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE1089992CC10CFCBF4A53A4630DE0F,SHA256=DD6CF0876A9D461EB5AC3CB95C0CA9050609442D158A890961681CA96B953A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321173Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:54.370{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD314859A33634A8D5BC66F72EBF91C,SHA256=07F0DC063C1F25DF589E219C11079D4590495FA1B9ED86498303FF2F709F8AA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321175Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:55.280{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52910-false10.0.1.12-8000- 23542300x8000000000000000321174Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:55.432{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF948B7A96A82AD72E54FFF4D2407D2,SHA256=C5004F94368D7A8AB858244593CF5F204FAA5E367236D7A9ED0882E72E75C3A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321176Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:56.448{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADF61D4C9323F4690D59A9E0605B0A4,SHA256=F0D1A3A9825D6FA59155A7FD095FF52A6C3EDA0F8A3C823870EF09232FC9EA1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321177Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:57.463{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332A0538177F7AA151CCFECEC39B9DEB,SHA256=18B2685047F0478563A9DED2373786196D8C8FA76A72F926D4C86C8CF5A8A459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321179Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:58.887{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=CE17E6FDF230BA4FE2B5326998A7A529,SHA256=0DD44D492E833895CFFE9F2ED3E34C3923BB386C72B853731547D712A0ED275C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321178Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:58.481{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3CB9DF0CF079B78920B73A4C56FAE7,SHA256=F684F8CAD83448F467EF27166D206E17C2ED00E7B79191D5797C133C729C27DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321180Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:56:59.510{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37D999AF6D3B229BCA2E460CB920197,SHA256=87237C06298EC4D5E0E4000E4279283902D709401F850049F2C86535728B696A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321181Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:00.573{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4C73F9E4352586C85456EC755D0D43,SHA256=BB6C3684CE120D37FD6913E29BAC0B2D44C30090446B1E03AAC57DD32B6EA187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321183Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:01.573{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C574DC300B4F35EDEF219CA6F91F96,SHA256=E00607E3FB9C22DF1C2492C318C2707F929B9A90B251D9A5109A1A9FC66FD435,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321182Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:00.327{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52911-false10.0.1.12-8000- 23542300x8000000000000000321185Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:02.604{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB328EFA0395E4946276876FC1C66B2,SHA256=EF9C0169499EDB228FA8C19E6A1F358198B458FEAEB16B72B2931D53279A8D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321184Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:02.166{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321186Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:03.635{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38838BB671077390FE40C91277CB8782,SHA256=89A56600ABB0ADCFA665D160F62FC3D20F5FCD5534E0A5D3C1042EC7111F7839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321188Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:04.666{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57F59426C82162E6A9A59E8B04C1825,SHA256=FAFF37BA41DC79EF772F82A76FA01D0AAB56B24DF92D3EC9C192BEC789654C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321187Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:03.343{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52912-false10.0.1.12-8089- 23542300x8000000000000000321189Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:05.684{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25FA0B890482E13C6B523653980E3D61,SHA256=A29FBEE409B7E7C9A309E0D761E0AB0EA22A230F36657FF55451C7F5EBB1E197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321191Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:06.693{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322EE8CE1811D05BBE590BD5D00C59AF,SHA256=0CC53AD4E2553EB1FEAAF33E475CA768640471759157845639B932EB5336E89F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321190Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:05.374{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52913-false10.0.1.12-8000- 23542300x8000000000000000321192Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:07.744{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83089E1D0A8038448A21F403FA9F06DB,SHA256=CA76641E5D0C12F74C2B914501139D6563C6C4A395FD317168D1C5D9AD0BEEC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321193Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:08.760{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7C26422E3A73F8168654D200DA5541,SHA256=4016FD16B42DE5296ABF534F4F6CBDDD07CAA826B805DA7BE2C19308011908D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321194Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:09.776{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C487CCB40970E3DE4979156D6C942548,SHA256=53665D39D2839F86128CD49A416595EE0F2AB58521BA080A9C8341FD84E8AEB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321195Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:10.822{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A8E64C3D0EA5F46E07DAF451C821AE,SHA256=B5DF92E9FFC7657CA586F3E53CD3F8EBC27D1EB8660FD8502C2CEFD3CADE3004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321207Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:11.838{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3737D7A4A641A972BA23FC7D53A7CCE8,SHA256=4311CFD6918A61AFAE3FF912C9FB689AFDF488838FFA4A01C54C942D411A6DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321206Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:11.838{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE81706ED904FA828ED4290FDBFF95E3,SHA256=152044B5C3A98E6E8D57A64FFE80158623478D26DF9D42D91A65CB9F7EC8AAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321205Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:11.838{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43AE4D928E8004CA0CE1A5148D8DC7D8,SHA256=24D3415411A02C2AEC58E260E3EB2F28465AD452B25C57A50052005B04E0E18A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321204Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:11.447{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF87-6026-BC2F-00000000A301}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321203Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:11.447{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321202Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:11.447{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321201Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:11.447{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321200Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:11.447{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321199Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:11.447{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CF87-6026-BC2F-00000000A301}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321198Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:11.447{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF87-6026-BC2F-00000000A301}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321197Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:11.448{6A74A0F8-CF87-6026-BC2F-00000000A301}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000321196Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:11.280{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52914-false10.0.1.12-8000- 23542300x8000000000000000321210Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:12.869{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1BBA003A779EF420A372CB7DBEABD6,SHA256=60A94A5BA1186B49FE07CB71C3BC73D2BE548F496EC2B079882A5DC452D461FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321209Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:11.999{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52915-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x8000000000000000321208Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:11.999{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52915-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 23542300x8000000000000000321211Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:13.869{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2768B094A0701E8B1DB327104866B0,SHA256=AF3C4635D991E116FD62C7EC39B8E00EE26F9E1C363143CD65EFA001ABCE3C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321220Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:14.947{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1692397A6E7E51E09A2FCAC4FCC263D4,SHA256=5284A4246FF6F1946D489E4BE7A5E24F9393C3C7C42AD38A93CD00937C75D7F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321219Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:14.322{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF8A-6026-BD2F-00000000A301}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321218Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:14.322{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321217Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:14.322{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321216Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:14.322{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321215Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:14.322{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321214Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:14.322{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CF8A-6026-BD2F-00000000A301}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321213Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:14.322{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF8A-6026-BD2F-00000000A301}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321212Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:14.323{6A74A0F8-CF8A-6026-BD2F-00000000A301}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321239Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.963{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616A04268F18B3270927F97F68AAA85A,SHA256=ECA2F8397DFF8267EEBEE129DA1CAA8EF0D721A2DADEA3881636625EAC78EB23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321238Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.838{6A74A0F8-CF8B-6026-BF2F-00000000A301}60683848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321237Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.690{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF8B-6026-BF2F-00000000A301}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321236Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.688{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321235Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.688{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321234Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.688{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321233Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.688{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321232Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.688{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CF8B-6026-BF2F-00000000A301}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321231Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.687{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF8B-6026-BF2F-00000000A301}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321230Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.683{6A74A0F8-CF8B-6026-BF2F-00000000A301}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000321229Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.186{6A74A0F8-CF8B-6026-BE2F-00000000A301}13047632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321228Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.010{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF8B-6026-BE2F-00000000A301}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321227Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.010{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321226Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.010{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321225Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.010{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321224Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.010{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321223Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.010{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CF8B-6026-BE2F-00000000A301}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321222Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.010{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF8B-6026-BE2F-00000000A301}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321221Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:15.011{6A74A0F8-CF8B-6026-BE2F-00000000A301}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321258Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.988{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A8424816BC04B8F6202D6D87C23E61,SHA256=A6751ECA6F2ECC3467DE689C15E4B13409A98624D4488F34C3710E36C0AB2EB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321257Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.963{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF8C-6026-C12F-00000000A301}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321256Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.963{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321255Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.963{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321254Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.963{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321253Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.963{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321252Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.963{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CF8C-6026-C12F-00000000A301}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321251Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.963{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF8C-6026-C12F-00000000A301}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321250Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.964{6A74A0F8-CF8C-6026-C12F-00000000A301}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000321249Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.295{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52916-false10.0.1.12-8000- 10341000x8000000000000000321248Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.447{6A74A0F8-CF8C-6026-C02F-00000000A301}61927664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321247Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.293{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF8C-6026-C02F-00000000A301}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321246Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.293{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321245Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.293{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321244Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.293{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321243Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.293{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321242Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.293{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CF8C-6026-C02F-00000000A301}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321241Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.293{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF8C-6026-C02F-00000000A301}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321240Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:16.293{6A74A0F8-CF8C-6026-C02F-00000000A301}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000321267Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:17.635{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CF8D-6026-C22F-00000000A301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321266Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:17.635{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321265Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:17.635{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321264Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:17.635{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321263Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:17.635{6A74A0F8-730C-6025-0C00-00000000A301}6081100C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321262Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:17.635{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CF8D-6026-C22F-00000000A301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321261Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:17.635{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CF8D-6026-C22F-00000000A301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321260Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:17.636{6A74A0F8-CF8D-6026-C22F-00000000A301}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000321259Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:17.119{6A74A0F8-CF8C-6026-C12F-00000000A301}56845116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321269Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:18.541{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-CE25-6026-892F-00000000A301}2736C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321268Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:18.010{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A65C40568FF73C66B04BE0EF0DE702,SHA256=6437183F4A5306F8EE5906EB10EFE23F35ACACF5AC05B2C9BC4EEBE9A1C4F786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321270Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:19.010{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22264F96BABB9B5C23A09D26BEFC6954,SHA256=388EF243068072E74F346EC649502C04DD3A8F7BBFAE2F9604E56415A60BAD70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321271Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:20.041{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C29542D052BEF28D6472DB1C7B129B9,SHA256=7A3C0B5A5BB5A6B284ACDE70069B286797BDA75B3AB6FB5735B752E91D904592,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321273Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:21.374{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52917-false10.0.1.12-8000- 23542300x8000000000000000321272Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:21.057{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4ADEC31F6A9B9C9B346742DD0FA4D44,SHA256=FF97AB644069FD54AB2EC0CBEE9B388F528ACC40DEFEFBFCB09924F4D6986782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321274Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:22.072{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3F7A556E4C2088F8ABBAFE7BD42758,SHA256=48A3E2487FD893BF8AFEB3B7790BC5583DA67A3B5FF17FB5C1292BEFCAF94F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321275Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:23.092{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA032FADDD3B157FBDDDD93E0A8B9456,SHA256=83C294B9771321FCC99E2B998BBFF5697B247DF98EC3291EA5589C003245CC9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321276Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:24.103{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431D2AEE8CEDD2C4C0E8E4CDA5BCEB4A,SHA256=2B9EA21E1AF1FF6ED158AA94CAA3439AAFC22AFCD213F56731149918B95EE5BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321277Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:25.135{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCEE04F1698E2AD7C397C5F1EF08B5E,SHA256=C93FEFAE188E84BD4C2AA3AB31C3CC735CB21EA0E0C262EDEEED594DE1632694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321278Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:26.166{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1663E35348BE41D81A69DCB01724F0,SHA256=A7086B107F51770C5E11BFDC79041AF47A23FFCCE8B79A304ADBA76970390835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321279Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:27.185{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE616F303DE4B913DB9E69B34116A9B,SHA256=406280DE8F92FF779A0291C7A79A2A125C7DF1CC4C17C0C427BA1803031E3221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321281Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:28.244{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85D7321010284271D90E64AF2FFB284,SHA256=875D206F9AC5E1BBEFFA2C2C92B12F695C0A51CD33531073E3149A23B44D7A2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321280Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:27.248{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52918-false10.0.1.12-8000- 23542300x8000000000000000321282Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:29.275{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830740312E0E0C574691D74FAD73F496,SHA256=16E5F8F19FB03CA3A6037BBBD52AFE4ABB70BC209694281DA155E812860D8A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321283Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:30.293{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B23CCBA63340F36D7D3BE84201149A2,SHA256=256E07FBD5653BDEE3D12A67F36E1F2ADA47E6C5C2F40250B1EDE583BBC49FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321284Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:31.338{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1007B345591E3B52FF135439D433A30,SHA256=889533617B88A37B9118A357032E1F1759695D89419CD8D7246C73178FBA4CFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321286Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:32.295{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52919-false10.0.1.12-8000- 23542300x8000000000000000321285Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:32.353{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5958BDEC8768B2DF617848D8EF74439,SHA256=16E93C5DAB1BF51300507E6F5EF44623EFC940BE743D2B1F7BAA6CA8ECB766C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321287Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:33.353{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96ADB9896D13C273031DC403108C210,SHA256=0D810D852EF514FD52CB90A09B753CC4C9DECC36154B64BBCEA6A2D9625874E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321288Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:34.369{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3790425EF66983729B9C65112626B6,SHA256=C70F132DDB93D1B2152305C44714B8DE07FBDEDF7F1C9B3C78D3C26051151CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321289Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:35.369{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176B9764E727B4F054A331ADAFCF1F79,SHA256=EC07052761410C20FF78CC1B97E4EBBBCC4F35EE2BA7ABA8A501936A7CCCDCAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321290Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:36.387{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172DDFB9FD735292E9D4CFEA5BCE9A0F,SHA256=27830758E7D74C28B35F5A4AF597B54B647866441EE09DF8FAFF131BBCD36801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321291Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:37.416{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF14FA7BBC304222613B5B2B55422728,SHA256=DA0EF099847EE35CC16C519330B3E3EE4404B24129B14D8A7F674F3AFC4E72A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321293Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:38.447{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5D1DA21E0267394FD68AB3AA8BD519,SHA256=698E0E34DE747299D0ED92308FF8EB04EABB7B5B3CB3882166B218FCCBCA2C97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321292Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:37.358{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52920-false10.0.1.12-8000- 23542300x8000000000000000321294Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:39.480{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF6D8BE8C04BD6A043EC5CD9CE62B62,SHA256=F53B228EA03AD2E4A4E103A5CC12842A163D5AE00301277ED2DA7A1F36A49339,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321296Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:40.744{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-CE0A-6026-7E2F-00000000A301}628C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321295Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:40.509{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261DB0FFA67E0238B8149649FD220F5D,SHA256=2FAB557A87D3B329527EFBB934618151DDE4B546B98FCABBC746C8983BA91EB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321300Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:41.884{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321299Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:41.884{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-B03D-6026-B92B-00000000A301}4108C:\Windows\system32\dllhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321298Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:41.791{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AAB2B4A5362BC5373B41B0456EF8CC25,SHA256=A424E1AECC472C0F1853FD44393A33BA850EC49C5D81A516F9FAFEC552C26220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321297Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:41.540{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B0979ED7A88C1397BB483D5535BA97B,SHA256=D8704D1633BA7EC9A6AF538A18CDF0A1481828D5C375A5E79332E6F7B47F8180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321301Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:42.572{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103F44B2C7754F44B01A79F863BA1265,SHA256=29C58FE2A9D32E578EAF3AE28426C261CB975D1468718DB24692D279B1CE4A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321303Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:43.590{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9AAA50F145A141374B9DED54E58C57B,SHA256=5E92B328BF0B2821ABC12FFFA9F1A8169BB41C525754B46EAA3B77EF3A1082FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321302Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:42.420{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52921-false10.0.1.12-8000- 23542300x8000000000000000321304Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:44.603{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728E8BD7CC9E64831DAD05E0C1663506,SHA256=31B93541583E60229ABF5B6F84C967D5104A4F5FCB90DB61603E507C16FD596B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321305Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:45.665{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B503981BBAF1AEC493E63B31287440,SHA256=F8CA3E26F42BE38A520ED3D6BCC9CDF033EC9C23A12138B77C10480270234D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321308Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:46.685{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E51995FF2341BC6C3EDDC8F94017E3,SHA256=CA6E86D8AF48A3E012FAB7DE649004A9ECB51B801A4D3F454EA0F0528B01E4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321307Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:46.293{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=18EC6EA851229803C64F5317441C295D,SHA256=4E82B0642DAD357CF9E74279765390F6F383B60606F9F700DB25250C8EA4B33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321306Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:46.293{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8C8DBDA7E7A4FA0E020AEACC61DA5C77,SHA256=128DC19DF59795280C7DC7D2DE7CD8B8EACFC4780EB79CE5B66DB474A10756F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321309Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:47.712{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653FB501C9FF72CFB1556678FD5EEA04,SHA256=316CE137C50B2CDF82954EEC943B6FAD3071DF6109258703953538C2D7AC37EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321311Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:48.743{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AE596BEA2684543DBE5CA6C167BD5E,SHA256=A500F0519383C8279D933F01026E2DE29058886ACA4012F0CD116D781F391120,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321310Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:48.248{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52922-false10.0.1.12-8000- 23542300x8000000000000000321312Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:49.759{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFEA7B8F7616F34438740BAC143C2E47,SHA256=999B85E350191579E03B68B030DA6286C96751CDF66E91D743E5306A4B2F2801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321313Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:50.775{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327817CCCF89EF7B146D636C1BF32FD0,SHA256=36712F0E4A8C5C7D0C32B46A25EC2DA3A489AF78DA0B3A46FAB6E2FF5CC5D915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321314Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:51.792{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52996D76A68CA5385AA22C81A4BE81E9,SHA256=7C41784FC5E58866D120C5E8B3B562695260E6A53C405139472C7F958E0D3C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321315Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:52.837{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBCC00585B27495E2757B78FA9F37A9,SHA256=2AD92F6562876EB2B370DB9B534EB93CC3F3F0BA6DE88436860E4C5077515A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321317Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:53.853{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F6C3A3B072C920FB9131B5A6273F4C,SHA256=2C753D863913DEE1187AC2B61DB3FB77C03B675D2405A27644D2246310C87A0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321316Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:53.311{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52923-false10.0.1.12-8000- 23542300x8000000000000000321318Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:54.868{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF84EC9F319FC88FA93D12CBD751F1A,SHA256=284DAFDF368F0FAF0F05E618515D0925BF9B9DF300220535A67D5A5754586B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321319Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:55.892{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38490BB3E1BB4D40BB6D6720A973473,SHA256=B90FBA264C665C42F82B64E909D5235B25A74D700F6BF8E91A87CFFD50C62A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321320Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:56.915{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2B1C1E7ABA9EA75A2176C444C43B61,SHA256=1415433FAA4E59208B6175E4F2EEDDABF0CB091099404B920122D5C0B88C7E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321321Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:57.946{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA15FA58AE9781256787B81642A92DC,SHA256=214700F6CE34FBE398FCFDE549036F254013259C19374D6A8ECCA724AC97DDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321323Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:58.980{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4029E2A5A7A7FDC8B72E61928E7FB050,SHA256=C910417118B8F9C5A4B52BCABEE80DDE7AFD49233C7F5898FE208F585D61E821,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321322Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:57:58.373{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52924-false10.0.1.12-8000- 10341000x8000000000000000321357Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321356Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321355Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321354Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321353Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321352Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321351Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321350Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321349Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321348Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321347Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321346Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321345Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321344Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321343Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321342Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321341Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321340Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321339Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321338Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321337Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321336Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321335Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321334Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321333Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321332Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321331Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321330Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321329Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321328Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321327Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321326Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321325Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.743{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321324Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:00.009{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C039B1DE96FC0F7EFA6CBF4145464C,SHA256=0C49649688025C12DFFE95DC1399AC700C9F9376B283D94A2C409C09DC07B299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321358Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:01.291{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333BD8CC92FB14243C38FDCA97315B94,SHA256=C49A2E44004A3D14598B533798E632C5941AF12D995B4DCACA73C6312EE0A3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321360Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:02.306{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2279536C726E9FF0EF217D572E5D3C2F,SHA256=15A3FC047C775A93FF9B1EC9370BEF1604E3AAAE79AB1BD4F66971AFDF6B1D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321359Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:02.187{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321362Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:03.373{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52925-false10.0.1.12-8089- 23542300x8000000000000000321361Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:03.337{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF4D7D29DBA686E4BAE3B4228926D66,SHA256=95727013BFD3EA9F449F69CED67BE0086AA3EEA8BCB73975BA785E472D5FABB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321364Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:04.264{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52926-false10.0.1.12-8000- 23542300x8000000000000000321363Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:04.368{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEEC65B77E49ACEE6164CDAD27843DC,SHA256=C5819AFEBAABF7864C940941F565E1E4CF4E18DDB12C041099FC198033F55A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321365Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:05.392{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1AA764BF96F0B9B10046772D53D287,SHA256=069E5533FD46C08F75BA7CDE5CAD18B58614775469898A0EF669494425B7AF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321367Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:06.774{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\datareporting\aborted-session-pingMD5=D681AFCCF4879A7AF2A6621DF6D22DCB,SHA256=C97F7F0BFBDDC6CC5A786EA63DCEF2F6ACDF4617B97AB2D90B8435BAACAB602E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321366Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:06.415{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A278B5019F6C5F62EC2D1FDA7503D7E,SHA256=D087AC161EB0BB760978987A87A0A0BF791BB369E7C2477D8F8DFB36C71D0A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321368Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:07.415{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01261D2FA6A0B5CB03786BD59C5E594E,SHA256=EB3A891BA08F6BA9A1C323D9EEAFAD46C7857D68A213C4A3B64A19244856BA85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321369Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:08.446{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA93140F6084FF179AD93C0DA6930B1,SHA256=D1FF07D8C780CAB2BB9FEEDD902F4E6DED3E0488000B0F6F61E0F998391A0E10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321371Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:09.342{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52927-false10.0.1.12-8000- 23542300x8000000000000000321370Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:09.479{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520F2A3CE5BA9A03B77622872EFAC3D7,SHA256=6516BCA2D58F50AC2D7B2AD12B4F66FCB86D00EF577199E41DD404D7BE11D5AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321372Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:10.508{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300764F721B708983FD1EFB8C48CF981,SHA256=472C1245B939F6735493B7C04B5FAB4550D6CF5D52329736625E47146190520E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321383Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:11.821{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A3FA25703C4B83B0867276C1271E35F,SHA256=D002BD76D3747F9AEA8DDD0E8DA7D1F6412345A4894BCCD216E04273F8718B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321382Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:11.821{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3737D7A4A641A972BA23FC7D53A7CCE8,SHA256=4311CFD6918A61AFAE3FF912C9FB689AFDF488838FFA4A01C54C942D411A6DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321381Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:11.524{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218E36F801A7CD65255F5F37374F65D1,SHA256=CD7699DF860E9016A4EBA72910596ABAE222F18EE22D574339AB63FEDE6E4DF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321380Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:11.462{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CFC3-6026-C32F-00000000A301}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321379Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:11.462{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321378Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:11.462{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321377Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:11.462{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321376Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:11.462{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321375Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:11.462{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CFC3-6026-C32F-00000000A301}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321374Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:11.462{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CFC3-6026-C32F-00000000A301}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321373Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:11.462{6A74A0F8-CFC3-6026-C32F-00000000A301}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321384Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:12.524{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBED0EC96BC49845A04CF5A47D66470B,SHA256=684136D21403797842FA543D4E9724F86DCF14A3F3D62F6C8B690C773678660B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321388Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localEXE2021-02-12 18:58:13.852{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\regasm.exe2021-02-12 18:58:13.852 23542300x8000000000000000321387Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:13.540{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04473293224D3AD0F9EB438DD14B46E,SHA256=7827F2C3A2AAF2ECB23C5085F2D6C0CBC32923CF6FD95F8ECB1996FB7C3C6E86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321386Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:12.014{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52928-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x8000000000000000321385Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:12.014{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52928-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x8000000000000000321408Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.404{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52929-false10.0.1.12-8000- 10341000x8000000000000000321407Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.892{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CFC6-6026-C52F-00000000A301}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321406Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.891{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321405Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.891{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321404Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.891{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321403Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.891{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321402Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.891{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CFC6-6026-C52F-00000000A301}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321401Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.890{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CFC6-6026-C52F-00000000A301}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321400Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.885{6A74A0F8-CFC6-6026-C52F-00000000A301}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321399Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.868{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=610F56B760B1FFF8EFD59781DF33F797,SHA256=3729E04257AF1965365E6686403F50004AE7D4501D540173BBA9C23EE61D11A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321398Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.571{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB289AD7104B40C95BAABD986CDA7CAB,SHA256=C1BB85DE41BA099FE832486DBFAA5D800C5DBE9736DE710ACF5804E94C8847C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321397Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.485{6A74A0F8-CFC6-6026-C42F-00000000A301}24248104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321396Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.321{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CFC6-6026-C42F-00000000A301}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321395Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.321{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321394Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.321{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321393Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.321{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321392Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.321{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321391Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.321{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CFC6-6026-C42F-00000000A301}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321390Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.321{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CFC6-6026-C42F-00000000A301}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321389Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:14.322{6A74A0F8-CFC6-6026-C42F-00000000A301}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000321419Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:15.711{6A74A0F8-CFC7-6026-C62F-00000000A301}65481508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321418Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:15.602{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76417AF42CCE0DB1B529BAEF278B960E,SHA256=E5FD3F745B84DC943298A6678A23D60F98349E2CE5BB4648BB741786001DA5D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321417Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:15.555{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CFC7-6026-C62F-00000000A301}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321416Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:15.555{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321415Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:15.555{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321414Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:15.555{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321413Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:15.555{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321412Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:15.555{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-CFC7-6026-C62F-00000000A301}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321411Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:15.555{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CFC7-6026-C62F-00000000A301}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321410Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:15.556{6A74A0F8-CFC7-6026-C62F-00000000A301}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000321409Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:15.055{6A74A0F8-CFC6-6026-C52F-00000000A301}41927936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321437Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.711{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CFC8-6026-C82F-00000000A301}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321436Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.711{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321435Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.711{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321434Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.711{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321433Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.711{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321432Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.711{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-CFC8-6026-C82F-00000000A301}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321431Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.711{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CFC8-6026-C82F-00000000A301}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321430Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.713{6A74A0F8-CFC8-6026-C82F-00000000A301}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321429Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.649{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D6952903DFF82EE1BB8BE515DB0F22,SHA256=B2771A8064838FC0AE8E1B35340AC860DC27FC696D4ECCE2B4B29D5C6CFF7C0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321428Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.211{6A74A0F8-CFC8-6026-C72F-00000000A301}76682852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321427Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.056{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CFC8-6026-C72F-00000000A301}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321426Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.056{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321425Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.056{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321424Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.056{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321423Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.056{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321422Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.056{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CFC8-6026-C72F-00000000A301}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321421Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.056{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CFC8-6026-C72F-00000000A301}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321420Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:16.057{6A74A0F8-CFC8-6026-C72F-00000000A301}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321446Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:17.665{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7F2DB045125AC5E8D24CC6DBE026A5,SHA256=5742929C6B4A04B94E74F93714DD9638871E5A3BA9B7775192BE4C25C313C8F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321445Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:17.392{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CFC9-6026-C92F-00000000A301}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321444Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:17.390{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321443Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:17.390{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321442Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:17.390{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321441Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:17.390{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321440Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:17.389{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CFC9-6026-C92F-00000000A301}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321439Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:17.389{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CFC9-6026-C92F-00000000A301}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321438Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:17.384{6A74A0F8-CFC9-6026-C92F-00000000A301}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321447Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:18.692{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6785BFB9B051016154A7FFB1DD91727,SHA256=E51CFF769179ACA9A13FC550E8D2C5A877B5624956F75C8AAE9CE5C56AAFF472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321448Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:19.711{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F70A572B57A22541F379FEFCAA96E5D,SHA256=7EDA7168AD09FD3EFC1CF3C2A74DE88C3078125FD2853D6806B573B2A70A3FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321449Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:20.711{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D05F0B1B53CF119B46C553FCCA578AE,SHA256=1CA49ABE11D695849C993786F5702D8F90F66FC8CEA76EA1220773A2A1E0BA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321451Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:21.743{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241F950EA3E8179FD4631A402185E420,SHA256=8FA53B50D879E61EEDC772FA09F303F3F482011283AB640897893C411B77418F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321450Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:20.295{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52930-false10.0.1.12-8000- 23542300x8000000000000000321452Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:22.758{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7AF03C821BC6D184A247F58F46C464,SHA256=64800FD5A04C19469F786269A0393556C8A55995650755BFF78E64162B0B2EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321453Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:23.774{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44EB8BF042813A6BFDC8FD73BE19430F,SHA256=24E7BBEA87CCFD4930B08866DBD91DCF429CCA00137C674279E2FEC867498E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321454Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:24.805{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D853A97E03CF820033627CFE4B6FC13,SHA256=966CC5B17685C7830BACF7348930400DA16F77E4A745033C04E21D506C6F4679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321455Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:25.821{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6381B25164FE950D0795795ED3AC6C45,SHA256=7A63C7A2223036C7EB271E6F3E491BD2E7AB7304F958EB17AC5C008A60080678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321457Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:26.852{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563A17726F019E463DAF735101B287C6,SHA256=60E3F6C122752EA0F7F6AA498BD9EE62D1DD2369149A896052C140A590F6BF0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321456Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:25.373{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52931-false10.0.1.12-8000- 23542300x8000000000000000321458Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:27.867{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07C91EC12ED228B8FD38808A1AADBC5,SHA256=0CCF2B32F3E108CAA10C229EFF3C4C742C758C1D13385C50F95F22A2DC76EE85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321460Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:28.867{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234371D72D7890ADBF4BC65ECE068ECE,SHA256=FA2E00C31BC6B0E056FBE2C464EC1DB1E6D18523CF8C75E43249D8C60DB77020,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321459Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:28.664{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321461Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:29.885{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871075364B5E81321430B38C8D9AFDC4,SHA256=C1300E91E5A59F0852599C4BE8204C3F0C5D93D514DED423E4F543BCB960CFDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321463Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:30.914{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2E0429502360AB6FB28E922A61BEFE,SHA256=36DD725016AE8F41E7F9163E79E5E73B24968A2C5E1A0C3D8819E6E225983298,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321462Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:30.435{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52932-false10.0.1.12-8000- 23542300x8000000000000000321464Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:31.945{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78A74D0E30AB0C2950BFDD63E6922FA,SHA256=16EB852ECDD96241A30527F6E1685E2158C3C265A7CDEBDBFEBA56CFCA1F68CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321465Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:32.961{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1500DFEB956781846EA359F92AEE5645,SHA256=63A3AEBA3C918572DD511DAAFD9851A1D906A2E27AF935FEB3348911FE6533B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321466Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:33.986{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFC6824B4AC62D3DFB42772C437DB66,SHA256=5940AB2EF477B581FAF5672114D8B992B5CBAF92EC617104DBC254BCBA33D76A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321467Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:35.070{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0987B6931DD68241CE3A9AA775F272,SHA256=9F430F30761E4091004EDE4A788BAB51F2870CFED4CF7079141C89F828D8A206,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321469Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:36.263{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52933-false10.0.1.12-8000- 23542300x8000000000000000321468Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:36.088{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B01EF2E26034277E30C45524047F5C,SHA256=AB9FA331D04B98005D1427FB917D118D8394EAE5B8E10EEF79633C0808218928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321470Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:37.102{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E645798D0972AE76D5B5644A29B4D1,SHA256=C091C52F3F95F32F469FB372EBBA9634FC565EA979AF682105D166682E653613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321472Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:38.133{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFFA001F47D5E3FEF75BB1BED0F4B16,SHA256=A00FD14A8B25DBFDAC19E525B88FB3EEBEBA2FAB570C5297F01A6682AC52A061,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321471Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:38.008{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-B03D-6026-B92B-00000000A301}4108C:\Windows\system32\dllhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321473Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:39.133{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460C58D5E41872EAA3D3897AFD3A2171,SHA256=8186808AC8B3E2611058B7C25763D3BDD85E73B3DE6D65CB7FE47F0F282EA50E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321474Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:40.148{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41ED2586C8B39B2DD9B2254C144F8EF5,SHA256=0995DC7E851DBD115EA12BB0128936483D3A5981E51BB9FD312D4E5BF494608E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321477Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:41.791{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4FEB9F7C45A52DEC9311F154E2C0807E,SHA256=2CE8CFA0B454012145C2BED939A9940F6328DCC02566E86C82B93BBF33BCAA8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321476Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:41.373{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52934-false10.0.1.12-8000- 23542300x8000000000000000321475Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:41.164{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C436E2AF464C6C29A76033937778FD88,SHA256=E0F0382D4E3CBCD14967E62056B9732F3BCEB9FF542344CFF142549F741D5FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321478Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:42.183{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C20E8E759F09ED9E518EC313C7DA970,SHA256=D86E20352CD235001D7BA63BE7375C63DB9056E6B4577942967C2B4BAB8C1031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321479Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:43.226{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED29DDEF8A6B5813566B5140D66E84C9,SHA256=CF088B903C0271C83FF3F6A052E6FE866A46F506C8BAB4BBCECB9A6A150853CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321480Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:44.226{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948AABA2BB498565214D278382898FDB,SHA256=6EF5CD24F0962829C4A6A21F22B5B17104E89E9E5831B4FE6078E8E5EA687A16,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321482Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localEXE2021-02-12 18:58:45.914{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\notregasm.exe2021-02-12 18:58:45.914 23542300x8000000000000000321481Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:45.242{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A67F179C0D7DE063C6395EC39AB64D,SHA256=71994B357CB43A825EC60BFA390DB18BACE4A89A616C150C8096D2D4BB7D1C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321485Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:46.930{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C0D3E9667C07FB023020C78B6935DF6A,SHA256=5FA17B575EC6A2593DF273A631FCDB137E2AE30DE0C407C61B5424CFC5B9C249,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321484Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:46.289{6A74A0F8-730C-6025-0D00-00000000A301}9885372C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321483Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:46.258{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BFD93171AB35FC1FBDD42FBEFF06D3,SHA256=DD3564ABF7CB04309F0C7C7DF2388C297B76A6B1C7B956351B2B291AC58C461D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321487Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:47.248{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52935-false10.0.1.12-8000- 23542300x8000000000000000321486Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:47.305{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB80BC9A3DCCD43A6608C763FCAEAA6,SHA256=72B9E04BEB588EF1CFEA03D61BABF2A959E4E3B75C79B7D4497EE5868381E2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321488Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:48.320{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F39E73CF54B3179C55BD6C936FA94C,SHA256=8221F100A1841AE09CF8C559AF979EC186B0C8B55A614FD9913723FC1EB15B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321489Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:49.320{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3705A74346C85D20FDE32D1EA1FF82C,SHA256=B4E7485D8FACB9DCDF61E545872B916DB4AF725A74133A5F443CAAA1C03743B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321490Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:50.336{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04E28DB6781F0F12D1B613A48E13560,SHA256=634DA508A5D80861398C73A43137EF4C5B26F72DFB8F5F849FCEBC7B699E2113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321491Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:51.351{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580D6690CDF47437483F0828DED03639,SHA256=3BF6304EC310C38C39482FC2BA4A51507A2B050B79CA8B7A87408881B25BAADF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321493Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:52.310{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52936-false10.0.1.12-8000- 23542300x8000000000000000321492Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:52.389{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9571000F062519F1D5D3B31DD8C68F8D,SHA256=E2099F442BBCEDD22FC8AF978E2E897B5B9FC25B524700A5F4CF62AEC0D017A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321494Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:53.461{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E0F703E3E9D00E860025A465DA6502,SHA256=5ADD0EF84977B83FC25122D1C0147570AF32605E54CB952FDD9D85717DF89D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321495Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:54.478{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389C39B7155F12439558537C7ED05650,SHA256=143F1D5B9335BB6925F2D612E2617FACA69D6643744D8EB0579322D8903D4510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321496Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:55.507{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65831889E6C2FAEAE59D15221886D9A1,SHA256=B6836530F2459B610A71F31CACD19896B7237EBAC33B0100C6EDFEC3D4EC65BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321497Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:56.507{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79076F0BE4B0BB7893183CF3D5B2DCE2,SHA256=D19AE626902D27C72B53C48845F3310FAE6766F187917B198E791FDBCD2CAEC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321498Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:57.523{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B06FC27D259A71DA6A34360678C54A9,SHA256=585F862EBE5ED50384B5CB1D4E6B99A6350F061BD7E0F95E2D420FAB018C4422,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321501Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localEXE2021-02-12 18:58:58.570{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\notregsvcs.exe2021-02-12 18:58:58.570 23542300x8000000000000000321500Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:58.539{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB57C8FFCE3E73B4C2F7FB606EA36B6,SHA256=1FE43CEE0B75E4DB42AE1D2466BF6DE515DF56476E452ABCB58F85860D5E46C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321499Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:57.372{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52937-false10.0.1.12-8000- 23542300x8000000000000000321503Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:59.617{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A7CCC3925AA378193E4F6D80A1BE3C4E,SHA256=858C2E226D0D5D031C5DF731C16C1255CFC17F89F7E1F571107C5536ABDF2B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321502Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:58:59.554{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7648F12A3A974166BA4219BBB03D714A,SHA256=00084E1D30D6E40578603F0DC1A0F73B6009E2C2930E51F6AC2A15D7391BF0DA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000321507Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:59:00.691{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\0C308890-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_0C308890-0000-0000-0000-100000000000.XML 13241300x8000000000000000321506Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:59:00.691{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\507F12B8-B6C3-4DDA-9A72-7DBC3B0C5E1C\Config SourceDWORD (0x00000001) 13241300x8000000000000000321505Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-12 18:59:00.691{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\507F12B8-B6C3-4DDA-9A72-7DBC3B0C5E1C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_507F12B8-B6C3-4DDA-9A72-7DBC3B0C5E1C.XML 23542300x8000000000000000321504Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:00.570{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A279CD41392E894AF32221EAF87A922,SHA256=0E2F1F40448D94D606978595BB6F71B2DD7B82881D6E27B5E68B53089F14E84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321510Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:01.726{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=365D3342B86B46453D6141807BE5A71A,SHA256=15D2265D9BFBFA1385B54A662C480F0044D1E78096E6375FD5F466845E53CB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321509Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:01.726{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A3FA25703C4B83B0867276C1271E35F,SHA256=D002BD76D3747F9AEA8DDD0E8DA7D1F6412345A4894BCCD216E04273F8718B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321508Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:01.589{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE2F016C37ED403210C1632F6E56B39,SHA256=29368A23D711872D36C13CEA82F834A3B6017A68721ACC01434DD6922C2BA704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321518Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:02.601{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D803DFE2604983085D36A507BB58ED,SHA256=9D56355B151BE002DE05A7A55702C3052D7DE33E84E6E854476BDEB5809FFF7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321517Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:02.210{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321516Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:01.895{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52940-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 354300x8000000000000000321515Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:01.895{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52940-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 354300x8000000000000000321514Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:01.888{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52939-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 354300x8000000000000000321513Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:01.888{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52939-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local389ldap 354300x8000000000000000321512Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:01.874{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52938-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local135epmap 354300x8000000000000000321511Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:01.874{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52938-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local135epmap 23542300x8000000000000000321519Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:03.632{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1B3E31E15B37AC4D87868976E1137A,SHA256=4120E77B9026A483CC8CE1B1DEFEC66F9895D7590C1DAF93FA951ACEE6CAFE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321522Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:04.648{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B029522231BAEC84DF0BF350B70ABA,SHA256=8EFA59ABB781B8E5CFF3ED788F04E098FC491164CA73CE6914E25B026DDD2B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321521Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:03.381{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52942-false10.0.1.12-8089- 354300x8000000000000000321520Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:03.247{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52941-false10.0.1.12-8000- 23542300x8000000000000000321523Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:05.682{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95799079F24248EE797ED573BCD1469,SHA256=6E7C96A36EA2410F30C94BDC14646BE672AEB5775391F713DB125B7364A78A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321524Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:06.691{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA12F549D502A3F399D5086636B3EC27,SHA256=22EC5EC80F8609DF9E0CC1B72FC5BBA1E2A45CC067AC9CA8F5AB784C8CEEF6A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321525Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:07.710{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A13A5B064D458A4A37302021447881,SHA256=88DBE6C9F34FEF872C0DF5F8A386F16605FF2AA595D935F161934CE54ECDC490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321526Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:08.741{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1C554A555E25CDB1678192C038C381,SHA256=ECC1DB9956B42013031B107CEFA830F7C04E987085182721A741EDAB08799151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321528Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:09.757{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CA544E2ABDC02B59755DE734D594D5,SHA256=7A40ADADF0445A962950D637217C3FC71C6EC0D83251BFF437475ECE726EBB71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321527Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:08.341{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52943-false10.0.1.12-8000- 23542300x8000000000000000321529Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:10.773{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC87E216C1B22AFDAE19FF8D8EC4CFA,SHA256=01900FDF1B72BF050685C60BAD4ADB9C8BCAA6FA7CAD06D56B8266483BAA3551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321595Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.851{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8C9E0161CC6FE6E1AAB6C7C2B34BDA,SHA256=E8248EA82671E2A5854DB2A7ADB5F30FAF0A173D24ED53ACCF01ABC67FF45982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321594Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.851{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=365D3342B86B46453D6141807BE5A71A,SHA256=15D2265D9BFBFA1385B54A662C480F0044D1E78096E6375FD5F466845E53CB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321593Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.804{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3093494FB346C83170CF0230DEF50C42,SHA256=B73BC691F13C4D06D333927DC0F0C71413A2DE4A8C3D9111DBDCB980BEF496E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321592Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.710{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3174AFA79261328CCD70FBBEA12032C7,SHA256=E07DB75FAA32EAFA40F2619D1D72DBEEE0C502EE67B5BD226107956972D1F056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321591Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.626{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321590Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.626{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321589Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.626{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321588Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.626{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321587Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.626{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321586Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.626{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321585Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.626{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321584Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.626{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321583Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.626{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321582Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.626{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321581Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.626{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321580Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.626{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321579Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.626{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321578Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.460{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-CFFF-6026-CE2F-00000000A301}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321577Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.460{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321576Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.460{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321575Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.460{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321574Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.460{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321573Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.460{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CFFF-6026-CE2F-00000000A301}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321572Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.460{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-CFFF-6026-CE2F-00000000A301}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321571Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.461{6A74A0F8-CFFF-6026-CE2F-00000000A301}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000321570Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.429{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321569Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.429{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321568Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.390{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321567Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.390{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321566Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.390{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321565Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.390{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321564Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.390{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321563Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.390{6A74A0F8-CFFF-6026-CB2F-00000000A301}56848008C:\Windows\SysWOW64\calc.exe{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\System32\windows.storage.dll+1240e6(wow64)|C:\Windows\System32\windows.storage.dll+123da1(wow64)|C:\Windows\System32\windows.storage.dll+123e73(wow64)|C:\Windows\System32\windows.storage.dll+124b45(wow64)|C:\Windows\System32\windows.storage.dll+1239f1(wow64)|C:\Windows\System32\windows.storage.dll+125d40(wow64)|C:\Windows\System32\windows.storage.dll+125fbc(wow64)|C:\Windows\System32\windows.storage.dll+1258a5(wow64)|C:\Windows\System32\windows.storage.dll+102d28(wow64)|C:\Windows\System32\windows.storage.dll+102b67(wow64)|C:\Windows\System32\windows.storage.dll+102bc8(wow64)|C:\Windows\System32\SHELL32.dll+1aa3b1(wow64) 154100x8000000000000000321562Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.408{6A74A0F8-CFFF-6026-CD2F-00000000A301}5300C:\Windows\SysWOW64\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=A20DCDBED017776C8B3D01A511A8DC46,SHA256=84173F0B3176F68428A88A6870AF6236F28FAEE117074FB36A0BCCCFB55EB301,IMPHASH=C261A11FB3872511CF73DBF1A1E04631{6A74A0F8-CFFF-6026-CB2F-00000000A301}5684C:\Windows\SysWOW64\calc.execalc.exe 10341000x8000000000000000321561Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.390{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CFFF-6026-CB2F-00000000A301}5684C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321560Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.390{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-CFFF-6026-CB2F-00000000A301}5684C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321559Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.366{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CFFF-6026-CB2F-00000000A301}5684C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321558Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.366{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-CFFF-6026-CB2F-00000000A301}5684C:\Windows\SysWOW64\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321557Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.366{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-CFFF-6026-CB2F-00000000A301}5684C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321556Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.304{6A74A0F8-CFFF-6026-CC2F-00000000A301}74326772C:\Windows\system32\svchost.exe{6A74A0F8-CFFF-6026-CB2F-00000000A301}5684C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321555Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.304{6A74A0F8-730A-6025-0A00-00000000A301}8487528C:\Windows\system32\services.exe{6A74A0F8-CFFF-6026-CC2F-00000000A301}7432C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321554Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.304{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-CFFF-6026-CC2F-00000000A301}7432C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321553Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.290{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-CFFF-6026-CC2F-00000000A301}7432C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321552Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.290{6A74A0F8-730A-6025-0A00-00000000A301}8482928C:\Windows\system32\services.exe{6A74A0F8-CFFF-6026-CC2F-00000000A301}7432C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321551Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.273{6A74A0F8-730A-6025-0B00-00000000A301}8606756C:\Windows\system32\lsass.exe{6A74A0F8-730A-6025-0A00-00000000A301}848C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321550Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.273{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321549Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.273{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321548Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.273{6A74A0F8-730A-6025-0B00-00000000A301}8606756C:\Windows\system32\lsass.exe{6A74A0F8-730A-6025-0A00-00000000A301}848C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321547Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.257{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321546Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.257{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321545Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.257{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-CFFF-6026-CB2F-00000000A301}5684C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321544Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.257{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321543Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.257{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321542Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.257{6A74A0F8-CFFF-6026-CA2F-00000000A301}70767888C:\Temp\notregasm.exe{6A74A0F8-CFFF-6026-CB2F-00000000A301}5684C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+159f0b(wow64)|C:\Windows\System32\KERNELBASE.dll+159bbc(wow64)|C:\Windows\System32\KERNEL32.dll+5f80d(wow64)|UNKNOWN(0000000005460099) 154100x8000000000000000321541Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.266{6A74A0F8-CFFF-6026-CB2F-00000000A301}5684C:\Windows\SysWOW64\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEcalc.exeC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=E5F11087E724759F5A52667D22485DF5,SHA256=3F2400274E4AE8B9B6B622A0571BBD96C293A708925549495A2FF1672964E949,IMPHASH=200BD8706C36BF07F7EF1B236749FD70{6A74A0F8-CFFF-6026-CA2F-00000000A301}7076C:\Temp\notregasm.exe"C:\Temp\notregasm.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\regsvcs.dll 13241300x8000000000000000321540Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localT1122SetValue2021-02-12 18:59:11.257{6A74A0F8-CFFF-6026-CA2F-00000000A301}7076C:\Temp\notregasm.exeHKCR\WOW6432Node\CLSID\{57DA77F3-27D4-3F92-9153-53374796FDFE}\InprocServer32\(Default)mscoree.dll 10341000x8000000000000000321539Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.241{6A74A0F8-730A-6025-0B00-00000000A301}8606756C:\Windows\system32\lsass.exe{6A74A0F8-CFFF-6026-CA2F-00000000A301}7076C:\Temp\notregasm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321538Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.241{6A74A0F8-730A-6025-0B00-00000000A301}8606756C:\Windows\system32\lsass.exe{6A74A0F8-CFFF-6026-CA2F-00000000A301}7076C:\Temp\notregasm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321537Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.190{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-CFFF-6026-CA2F-00000000A301}7076C:\Temp\notregasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321536Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.190{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-CFFF-6026-CA2F-00000000A301}7076C:\Temp\notregasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321535Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.190{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321534Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.190{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321533Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.190{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321532Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.190{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321531Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.190{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-CFFF-6026-CA2F-00000000A301}7076C:\Temp\notregasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000321530Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:11.190{6A74A0F8-CFFF-6026-CA2F-00000000A301}7076C:\Temp\notregasm.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Assembly Registration UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegAsm.exe"C:\Temp\notregasm.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\regsvcs.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=F9962526636C4082079C16F5CBD18A21,SHA256=193D0E779528278A422C64E94D9D8AC623FCB1323038D33D2B820EAD608EF515,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000321601Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:12.835{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B68E5C748A89F86BDE530E631A26A21,SHA256=4BF704E942F23369C7CA54E12CF7132673BEDB1EF0957B730D7161F9E9EFAE5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321600Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:12.029{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52944-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x8000000000000000321599Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:12.029{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52944-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 23542300x8000000000000000321598Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:12.335{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EDC0FB8793F3D4FF0EDD85C29E926365,SHA256=D0B5AA6317EB32CB916E8F222F141143C97E6853B96EC28A7C5A3391F70EAACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321597Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:12.335{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=18EC6EA851229803C64F5317441C295D,SHA256=4E82B0642DAD357CF9E74279765390F6F383B60606F9F700DB25250C8EA4B33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321596Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:12.226{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=01E543F4F0DA22D8475DA787B724B340,SHA256=9DB6E51EA0BAF0668A6D1803AE35C10DAC9CA4C75177FE190DB2C935C7A80AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321608Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:13.886{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E2B794D2A2E773F419415D83AEA08B,SHA256=4EE3DAF0FB10AE7973EE352B34862913C3EA03C1683D9BD66DF4D9357BFD2C6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321607Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:13.538{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321606Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:13.538{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321605Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:13.538{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321604Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:13.538{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321603Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:13.538{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321602Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:13.538{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321626Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.984{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-D002-6026-D02F-00000000A301}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321625Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.982{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321624Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.982{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321623Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.982{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321622Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.982{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321621Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.981{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-D002-6026-D02F-00000000A301}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321620Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.981{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-D002-6026-D02F-00000000A301}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321619Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.976{6A74A0F8-D002-6026-D02F-00000000A301}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321618Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.913{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837C6CACB31A7945C31D309995AF2371,SHA256=ADA7DEFF4C49A9EB7DB54FC58E40AD6B06ADB51DAD24CDC7A0C7994208A7444C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321617Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:13.435{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52945-false10.0.1.12-8000- 10341000x8000000000000000321616Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.319{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-D002-6026-CF2F-00000000A301}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321615Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.319{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321614Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.319{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321613Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.319{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321612Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.319{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321611Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.319{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-D002-6026-CF2F-00000000A301}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321610Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.319{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-D002-6026-CF2F-00000000A301}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321609Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:14.320{6A74A0F8-D002-6026-CF2F-00000000A301}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321637Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:15.913{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30929DE0C022159192C1B8190EF2EF01,SHA256=4B966B202FDF0288201DF5B1851EE40B16C95D1C898536EF763EAB8556CDF32A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321636Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:15.819{6A74A0F8-D003-6026-D12F-00000000A301}80563552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321635Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:15.663{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-D003-6026-D12F-00000000A301}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321634Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:15.663{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321633Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:15.663{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321632Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:15.663{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321631Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:15.663{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321630Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:15.663{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-D003-6026-D12F-00000000A301}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321629Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:15.663{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-D003-6026-D12F-00000000A301}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321628Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:15.664{6A74A0F8-D003-6026-D12F-00000000A301}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000321627Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:15.148{6A74A0F8-D002-6026-D02F-00000000A301}74003788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321655Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.984{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-D004-6026-D32F-00000000A301}7824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321654Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.982{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321653Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.982{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321652Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.982{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321651Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.982{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321650Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.982{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-D004-6026-D32F-00000000A301}7824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321649Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.981{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-D004-6026-D32F-00000000A301}7824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321648Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.976{6A74A0F8-D004-6026-D32F-00000000A301}7824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321647Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.944{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28DCB9B3F286BE31777DA6F6CC9EC5EB,SHA256=8EA8DD1966C0BEA0B769C06906751AC6120FA33925F1FC58608D024084984929,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321646Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.460{6A74A0F8-D004-6026-D22F-00000000A301}9845876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321645Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.304{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-D004-6026-D22F-00000000A301}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321644Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.304{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321643Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.304{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321642Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.304{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321641Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.304{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321640Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.304{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-D004-6026-D22F-00000000A301}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321639Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.304{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-D004-6026-D22F-00000000A301}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321638Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:16.305{6A74A0F8-D004-6026-D22F-00000000A301}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000321664Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:17.819{6A74A0F8-D005-6026-D42F-00000000A301}55203200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321663Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:17.663{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-D005-6026-D42F-00000000A301}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321662Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:17.663{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321661Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:17.663{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321660Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:17.663{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321659Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:17.663{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321658Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:17.663{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-D005-6026-D42F-00000000A301}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321657Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:17.663{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-D005-6026-D42F-00000000A301}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321656Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:17.664{6A74A0F8-D005-6026-D42F-00000000A301}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321665Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:18.007{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=893CECB3B767854D56A52EE886A2C779,SHA256=5F0630A38A4E2779D3AD2ECD8DCC0E2420A9C709A90DBB0858A88838316410B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321667Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:19.310{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52946-false10.0.1.12-8000- 23542300x8000000000000000321666Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:19.038{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE2A731CB48113E9B374E77213C8C51,SHA256=9C9E7FC2FDDBF55DBF8BF59225EFBDC003406A3E99F4EF79EA77C51879A3A94D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321668Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:20.054{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B396B73AF590EB136D223BAE37AF8900,SHA256=CB5566BADAC7214106768422525F9AF42EFE42D58D13331077F5B33A8B5FE4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321669Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:21.069{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DE4DC6506895D62AB7C7F8130467DD,SHA256=32B0166EC4488748FE8CB8236A8D5DB308A99CF06570AA061819471DDA986FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321670Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:22.069{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE16F430E2DD78892F2B9E6E7EA5E6E8,SHA256=DB69A999C2FA418B324ED3C14732BE6ACD3B7CDBD50C4A34630602B902DA80CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321682Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:23.444{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-D00B-6026-D52F-00000000A301}8064C:\Temp\notregsvcs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321681Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:23.444{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-D00B-6026-D52F-00000000A301}8064C:\Temp\notregsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321680Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:23.413{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-D00B-6026-D52F-00000000A301}8064C:\Temp\notregsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321679Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:23.190{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-D00B-6026-D52F-00000000A301}8064C:\Temp\notregsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321678Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:23.190{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-D00B-6026-D52F-00000000A301}8064C:\Temp\notregsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321677Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:23.190{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321676Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:23.190{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321675Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:23.190{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321674Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:23.190{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321673Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:23.190{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-D00B-6026-D52F-00000000A301}8064C:\Temp\notregsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000321672Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:23.189{6A74A0F8-D00B-6026-D52F-00000000A301}8064C:\Temp\notregsvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exe"C:\Temp\notregsvcs.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\regsvcs.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000321671Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:23.132{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905FDFEE714415DAC897CC8ACF365D9D,SHA256=CFA12A45FB064EDF99269B063A01FEB6C637F6994DA82E81D9CDBBD5B12EFE14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321724Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.856{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321723Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.856{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321722Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.856{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321721Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.856{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321720Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.856{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321719Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.856{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321718Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.856{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321717Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.856{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321716Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.856{6A74A0F8-743F-6025-3302-00000000A301}35483404C:\Windows\Explorer.EXE{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321715Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.856{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321714Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.856{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321713Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.856{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321712Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.856{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321711Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.647{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321710Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.647{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321709Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.632{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321708Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.632{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321707Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.632{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321706Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.632{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321705Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.632{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321704Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.632{6A74A0F8-D00C-6026-D62F-00000000A301}12047904C:\Windows\SysWOW64\calc.exe{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\System32\windows.storage.dll+1240e6(wow64)|C:\Windows\System32\windows.storage.dll+123da1(wow64)|C:\Windows\System32\windows.storage.dll+123e73(wow64)|C:\Windows\System32\windows.storage.dll+124b45(wow64)|C:\Windows\System32\windows.storage.dll+1239f1(wow64)|C:\Windows\System32\windows.storage.dll+125d40(wow64)|C:\Windows\System32\windows.storage.dll+125fbc(wow64)|C:\Windows\System32\windows.storage.dll+1258a5(wow64)|C:\Windows\System32\windows.storage.dll+102d28(wow64)|C:\Windows\System32\windows.storage.dll+102b67(wow64)|C:\Windows\System32\windows.storage.dll+102bc8(wow64)|C:\Windows\System32\SHELL32.dll+1aa3b1(wow64) 154100x8000000000000000321703Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.631{6A74A0F8-D00C-6026-D72F-00000000A301}4352C:\Windows\SysWOW64\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=A20DCDBED017776C8B3D01A511A8DC46,SHA256=84173F0B3176F68428A88A6870AF6236F28FAEE117074FB36A0BCCCFB55EB301,IMPHASH=C261A11FB3872511CF73DBF1A1E04631{6A74A0F8-D00C-6026-D62F-00000000A301}1204C:\Windows\SysWOW64\calc.execalc.exe 354300x8000000000000000321702Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.403{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52947-false10.0.1.12-8000- 10341000x8000000000000000321701Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.616{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-D00C-6026-D62F-00000000A301}1204C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321700Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.616{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-D00C-6026-D62F-00000000A301}1204C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321699Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.590{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-D00C-6026-D62F-00000000A301}1204C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321698Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.590{6A74A0F8-730C-6025-1600-00000000A301}1532920C:\Windows\system32\svchost.exe{6A74A0F8-D00C-6026-D62F-00000000A301}1204C:\Windows\SysWOW64\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321697Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.590{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-D00C-6026-D62F-00000000A301}1204C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321696Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.569{6A74A0F8-CFFF-6026-CC2F-00000000A301}74326772C:\Windows\system32\svchost.exe{6A74A0F8-D00C-6026-D62F-00000000A301}1204C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321695Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.538{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321694Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.538{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321693Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.538{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321692Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.538{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-D00C-6026-D62F-00000000A301}1204C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321691Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.538{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321690Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.538{6A74A0F8-D00B-6026-D52F-00000000A301}80642100C:\Temp\notregsvcs.exe{6A74A0F8-D00C-6026-D62F-00000000A301}1204C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+159f0b(wow64)|C:\Windows\System32\KERNELBASE.dll+159bbc(wow64)|C:\Windows\System32\KERNEL32.dll+5f80d(wow64)|UNKNOWN(0000000006030099) 154100x8000000000000000321689Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.551{6A74A0F8-D00C-6026-D62F-00000000A301}1204C:\Windows\SysWOW64\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEcalc.exeC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=E5F11087E724759F5A52667D22485DF5,SHA256=3F2400274E4AE8B9B6B622A0571BBD96C293A708925549495A2FF1672964E949,IMPHASH=200BD8706C36BF07F7EF1B236749FD70{6A74A0F8-D00B-6026-D52F-00000000A301}8064C:\Temp\notregsvcs.exe"C:\Temp\notregsvcs.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\regsvcs.dll 13241300x8000000000000000321688Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localT1122SetValue2021-02-12 18:59:24.538{6A74A0F8-D00B-6026-D52F-00000000A301}8064C:\Temp\notregsvcs.exeHKCR\WOW6432Node\CLSID\{57DA77F3-27D4-3F92-9153-53374796FDFE}\InprocServer32\(Default)mscoree.dll 10341000x8000000000000000321687Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.538{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-D00B-6026-D52F-00000000A301}8064C:\Temp\notregsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000321686Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.522{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-D00B-6026-D52F-00000000A301}8064C:\Temp\notregsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000321685Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.522{6A74A0F8-B03D-6026-B92B-00000000A301}41087456C:\Windows\system32\dllhost.exe{6A74A0F8-D00B-6026-D52F-00000000A301}8064C:\Temp\notregsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\COMSVCS.DLL+15400|C:\Windows\system32\COMSVCS.DLL+8c3e|C:\Windows\system32\COMSVCS.DLL+6b650|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 23542300x8000000000000000321684Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.190{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7C006DCB40C47C841C3EB842005FA508,SHA256=F43B824C4B1C865872469A193BE71270CDBAE795C2185571038AB8FA27CE8198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321683Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.147{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580497B1B88C985CCE7DBAB5B8E9DBD6,SHA256=FD6C9E488FEAD71295C1F244F03AFBE2990E5DE5E15694A9D61F545524173341,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321733Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:25.913{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321732Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:25.913{6A74A0F8-743F-6025-3302-00000000A301}35485816C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321731Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:25.890{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321730Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:25.890{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321729Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:25.890{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321728Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:25.890{6A74A0F8-743F-6025-3302-00000000A301}35485848C:\Windows\Explorer.EXE{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321727Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:25.590{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C33B4651C51B3F8FC92838B809E720C8,SHA256=3232CC1728BBA6CB2657F3938FB70770F2A377F6A3C6738D4BA7734A159C8F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321726Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:25.538{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241C9EDE18E41DC41849B073E17B4D36,SHA256=D015640FBD6D6A675D62FCA10A97BFFC1F5C4809388CE0843D06D5760003FAC0,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000321725Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:24.654{6A74A0F8-D00B-6026-D52F-00000000A301}8064WIN-DC-444010.0.1.14;C:\Temp\notregsvcs.exe 23542300x8000000000000000321734Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:26.538{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8BB5D00EE00E296EF895C3FF89422D,SHA256=7AB41B1E3B52AB91FD69CB4E8F960CB7D60869C27D8C66AB0B0A4F621CF576B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321735Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:27.554{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D7ECF0A4A6ABFDF98E09543AB05CC2,SHA256=1A99DD171F1C7D84D6E2593A84CA06398E93B035A1EBC03F9518CE7DF3C4F52F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321736Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:28.569{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830C20125FFB7C97806E40FE23B9CE82,SHA256=276FE6434F394AD302C3FF49E40372C92B905CD4885975488698E3A1EB9EB9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321737Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:29.588{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701D88602749AD7873FE42F366F75206,SHA256=C52D1C8D2E2BFAB9FDAB738F62F99C44DDCE0A656FEB5B9FA528358F0E745E3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321739Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:30.247{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52948-false10.0.1.12-8000- 23542300x8000000000000000321738Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:30.600{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B5D7F3834F7FBC7B12D1E07ACAC211,SHA256=8D5E4F964D5EC2D6114FE9E1BDFCECF46E19317456AFE33A342E533662FAD811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321740Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:31.632{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313C40F075BD14ED69494D384ED92328,SHA256=A36C3A1E6E69656501C2CA2DD8E8DAD6D0A3B2D63419C51C75BC52723E79B6FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321741Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:32.663{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2824778DF90C71083089C28571D89F,SHA256=61A59AE1BCA851E96D9087BA4DA804221F5F82F27DB5D4F8098F52D7CE10304E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321742Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:33.680{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0D9078B8230A8202D87EBFB194A03F,SHA256=FA1E720CE8E216C4C9C11F93939F933E893AF7083FC61907C34F36FE3C08DFFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321743Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:34.690{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748CD60887694CB81D75C6FF3DA434E6,SHA256=2CE7417E25411C3F7E237F7FC38CE1B0EB61D74D55122F648CAB2A6B814B59F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321745Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:35.309{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52949-false10.0.1.12-8000- 23542300x8000000000000000321744Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:35.725{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042CDF53CAE9A657707BC2ECFD7EA13A,SHA256=2B754D11B5324C8BB55EEA88A88492723409501D81EA55E9C7053E3C9A23DD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321746Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:36.741{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60DB423C27F1262832F280C8F22D430,SHA256=79D0B1170C7314C7F64707087B4A8FF7A0C0DB8786E40ACEBC3C1B04C943C8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321747Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:37.790{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D23FF6D3EDE57DDFC53A7837D59E1D,SHA256=EA85298F3B1B43C57E377F19C9B15820326A7D2C71904F54D290F5D92D32B5B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321759Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:38.803{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E7AEDA5873F3CB6697CA61EA2620D67,SHA256=3F2C9F031B6E9209135211D788F7F87E52148BB3241B9756250166974D1B6320,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321758Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:38.272{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-D01A-6026-D82F-00000000A301}7524C:\Temp\notregsvcs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321757Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:38.272{6A74A0F8-730A-6025-0B00-00000000A301}8603172C:\Windows\system32\lsass.exe{6A74A0F8-D01A-6026-D82F-00000000A301}7524C:\Temp\notregsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321756Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:38.256{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-D01A-6026-D82F-00000000A301}7524C:\Temp\notregsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321755Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:38.022{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-D01A-6026-D82F-00000000A301}7524C:\Temp\notregsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321754Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:38.022{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321753Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:38.022{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321752Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:38.022{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321751Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:38.022{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321750Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:38.022{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-D01A-6026-D82F-00000000A301}7524C:\Temp\notregsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321749Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:38.022{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-D01A-6026-D82F-00000000A301}7524C:\Temp\notregsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000321748Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:38.028{6A74A0F8-D01A-6026-D82F-00000000A301}7524C:\Temp\notregsvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exe"C:\Temp\notregsvcs.exe" C:\Users\Administrator\Downloads\netconn.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000321765Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:39.803{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D85EE197E2BCD84A833FB9F3F0DC42C,SHA256=6A625B925F6CC610C07D548FC51C52BCC5F947F557CE99C67B392769E4D020FA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000321764Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localT1122SetValue2021-02-12 18:59:39.366{6A74A0F8-D01A-6026-D82F-00000000A301}7524C:\Temp\notregsvcs.exeHKCR\WOW6432Node\CLSID\{701F1B61-77A1-3F20-8968-E41B6B14B2C2}\InprocServer32\(Default)mscoree.dll 10341000x8000000000000000321763Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:39.366{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-D01A-6026-D82F-00000000A301}7524C:\Temp\notregsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000321762Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:39.350{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-D01A-6026-D82F-00000000A301}7524C:\Temp\notregsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000321761Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:39.350{6A74A0F8-B03D-6026-B92B-00000000A301}41085596C:\Windows\system32\dllhost.exe{6A74A0F8-D01A-6026-D82F-00000000A301}7524C:\Temp\notregsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\COMSVCS.DLL+15400|C:\Windows\system32\COMSVCS.DLL+8c3e|C:\Windows\system32\COMSVCS.DLL+6b650|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 23542300x8000000000000000321760Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:39.038{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=365F89E36927390E428261E37F12A468,SHA256=5E07CC2E9B79460A4AC5EC7751D9AE04FC85764DD2C121FC55DD2309BDAB280C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321768Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:40.834{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21DF92AA9F136C5D37BD928970C1EDEF,SHA256=270B5C61052714A15A3CDE73F05D7B168A9F15D05B51ADFBC405BC12CBA694F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321767Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:40.372{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52950-false10.0.1.12-8000- 22542200x8000000000000000321766Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:39.485{6A74A0F8-D01A-6026-D82F-00000000A301}7524WIN-DC-444010.0.1.14;C:\Temp\notregsvcs.exe 23542300x8000000000000000321770Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:41.850{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022F2BEBECBF4E03154B9DC1EF043A35,SHA256=5AE6702BB3F098D50AC5F4C17C297608156A5001B3BB3EA9130F6AA5E027E792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321769Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:41.803{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=839C1CC8BC7317538BDA58D21AECF74E,SHA256=9498D846BC7F4456AF8F31D6EF8118EE2CB19A47DF9497DB09E31DCC2066AA22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321771Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:42.866{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC365F000DE198A0A1438C1B3F5F75BE,SHA256=E8375667E95C08F068071F802474FD37EF147E1A9F55E29C68EF1C75A7B61617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321772Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:43.884{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0A0697A1581E0099581B1ACBDF0AD5,SHA256=AA6CC7CA34E4375E96E9665829036DAA387A694F7796604FC53A111767F0CE4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321773Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:44.912{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E17F782FFBB98B041511B5D025F6881,SHA256=958C15BC7AFF36965D14761B5B99F3451CA9BB9C708C531C1F8B8922221DB362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321774Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:45.944{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD4988B085B06176C4E87C27DDF86D5,SHA256=0EC93665FA36ECCD4BCA2DB70F1E03A87EB0C641D24B5C8A5CF2F8B4CC717D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321776Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:46.959{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1689D2EEC0D41FAC2C44181C34B7FB3C,SHA256=4F5516AB6B4140BD0730618F954DF6C6440C7EC89FC9B83DE45A0A90A78E74E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321775Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:45.419{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52952-false10.0.1.12-8000- 23542300x8000000000000000321777Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:47.979{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58E90F78D8F485B2183937C35048B3F,SHA256=E3ADF34D65FE713144C5B83CA038610A5AC05C93EAC742B5FE619A084E4D5B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321778Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:49.006{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412094B3EC1DD931E7A4619C04BE76E8,SHA256=6275815F07682FC25B92CAFE56A0EF5ADD9398EF9D6EC535DE8D2C41BA5B64BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321779Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:50.022{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE91123D253FE8C49AE9E09AF945D62,SHA256=8BD472B33D75E20D4A6D0AD262B041108C3312A375A7CCA68C4B9410545F5019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321780Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:51.037{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83354C447EA8B1B7831C7F333B66A51F,SHA256=79C010009CE8D41F9110AB473764286A5093957B94AC00BA12258EDEA45B7203,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321782Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:51.262{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52953-false10.0.1.12-8000- 23542300x8000000000000000321781Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:52.069{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414F9F573F2F47715A29101E0A7D58FF,SHA256=61F757B525B9903C0EB0961B9B83F8CA8162479547A057BCFEA0565A68743552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321783Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:53.069{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24ABBFD204F5BC3F613942206816496C,SHA256=3DE03285F4AF04ED38987185FFCDBDE2861B0C6F4459363E01DB325DC9B9677F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321784Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:54.087{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F3B8745D89DD81AAC33D9CCF4B27E2,SHA256=8EDC703762ACFD859E2F15076D95BC7E737AF02AF3CEA133273A1B7DE763945C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321785Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:55.100{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD80073092B69ED295822E64EADFADE,SHA256=A04D9BAB0AB0294495EE522189282A4E55461CABBF4CA770F0E9A12FC0EBB09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321786Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:56.131{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22624215F780F6AFC54A373E5C5D0BB3,SHA256=D8031E87F116AAB4D865C81E26AB5B96802D467F23723E45E3BCA6614F95C3B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321788Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:56.325{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52954-false10.0.1.12-8000- 23542300x8000000000000000321787Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:57.162{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C975D374B540158FC0F9C02C3A4E794,SHA256=E028C90622E2FDB67CC5E93B7852CDE19A52F87AC60E8D93804F3167A6BC3E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321789Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:58.162{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E654D365684E3BEC8CE3777E25867BE,SHA256=EDBB2ED4C318A88E522BD581BDF55301AA8DD05F234449D7A8EB406655618002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321790Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 18:59:59.189{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375E712766711D565B1AF7366293F5A9,SHA256=B95A91BB6E200AAABD009AF43396A043EE5D3AD837426C9817D2DAAC8248D8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321791Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:00.271{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EC8672A993052C34B177836C3DEAD5,SHA256=C26154E8BAF52E62383EA21CE612867E15B8F1B7DEC0F7AC4B96C25941904FAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321793Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:01.372{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52955-false10.0.1.12-8000- 23542300x8000000000000000321792Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:01.303{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53645EF1B5E80F0FE734517578166753,SHA256=4C693B2E5D83F262E4B709E14A50341AC2F41D4B70F2A277CDC85AE6CCAD9DC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321824Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.586{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321823Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.586{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321822Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.586{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744C-6025-4502-00000000A301}6044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321821Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.586{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321820Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.586{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321819Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.586{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321818Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.586{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321817Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.586{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321816Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.586{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321815Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321814Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321813Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321812Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321811Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321810Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321809Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321808Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321807Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321806Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321805Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321804Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-743F-6025-3302-00000000A301}3548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321803Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321802Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321801Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321800Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321799Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321798Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.585{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321797Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.584{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321796Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.584{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-744A-6025-4402-00000000A301}5928C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321795Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.318{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3105674B5455B8744A7A9A9674F01A2,SHA256=08EA04C83324EF874D9EFC0878C5C1FF101A986A603154D5F319B45A8B2EF127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321794Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:02.240{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321826Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:03.443{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD7EB624447D716CA8F9CFE128CE52A,SHA256=6D77DCFC5F9AED2C61A8A085C8CD62B777B7139C1B266063FFDE6C9CB6AA30F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321825Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:03.419{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52956-false10.0.1.12-8089- 23542300x8000000000000000321827Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:04.459{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B755EEA9444801AFD6A2BF8EDBE219E,SHA256=11281C33C54E54B087DCDDDFB9F323DC8CB9B13BCC48C3CB24EF7C9820B178E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321828Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:05.477{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641E29097CEDF44131CFBF43004EA442,SHA256=6EDE3D0609772B78DB3B66B1C55F77423EECBF94368E49FE695A8028501BAE92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321832Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:06.803{6A74A0F8-743F-6025-3302-00000000A301}35484808C:\Windows\Explorer.EXE{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a4660|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800978D48D8)|UNKNOWN(FFFFF99A23EB4998)|UNKNOWN(FFFFF99A23EB4B17)|UNKNOWN(FFFFF99A23EAF1A1)|UNKNOWN(FFFFF99A23EB0B6A)|UNKNOWN(FFFFF99A23EAEE26)|UNKNOWN(FFFFF800975EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000321831Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:06.803{6A74A0F8-743F-6025-3302-00000000A301}35484808C:\Windows\Explorer.EXE{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a4141|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800978D48D8)|UNKNOWN(FFFFF99A23EB4998)|UNKNOWN(FFFFF99A23EB4B17)|UNKNOWN(FFFFF99A23EAF1A1)|UNKNOWN(FFFFF99A23EB0B6A)|UNKNOWN(FFFFF99A23EAEE26)|UNKNOWN(FFFFF800975EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321830Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:06.803{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF5541235.TMPMD5=83D1AFAA8D0BB411E55056E5143B15D7,SHA256=C08B97D5CAEEEB6D77A5623B5198A7B8CFA5EFDB389F2615BBAD805E93020D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321829Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:06.506{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28038BEDFF1FD2D2DF51423322BA8693,SHA256=D937F164E289809A43054387583876A45BCFF439236313A3A414B1F10C9C85D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321834Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:07.263{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52957-false10.0.1.12-8000- 23542300x8000000000000000321833Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:07.537{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E036490E6B50ACECB2608951CBB27A,SHA256=901DE6E6A58EB5AB0CC37365BDF5E6B1FD021FF3929035C9F523323C952EEF9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321835Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:08.553{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410E1E72522069EE8A3187766ABD8A23,SHA256=4599593C30444058269E77B1F294FB89F20ED4FAD863717D214B3D462B379173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321836Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:09.568{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9001BBC2E362739B3EED02293588E4,SHA256=2201B18388CC980FB4E54B25966D6FE453EFCFD37E6AC03E3E66F5681C3C7709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321837Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:10.586{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E3C042775120F3F92007F3E63A93AA,SHA256=E2D2F3555A642E15AC758D98117EFFB2808901146B441632B712011DFC6E909D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321848Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:11.865{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC31C74C64322A64ACD54B87E2E1F4AA,SHA256=A2329F8FE72BA3CA3ACA4EAF8965FD6E6D7008F845A611CF7434A06AE67FF366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321847Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:11.865{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8C9E0161CC6FE6E1AAB6C7C2B34BDA,SHA256=E8248EA82671E2A5854DB2A7ADB5F30FAF0A173D24ED53ACCF01ABC67FF45982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321846Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:11.599{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09DAFFA29E398AB8792F7935DEE89EE,SHA256=3D72B568A7ED2ECACB9701B3E446B868E11609DB6D55F32B61E8640439265CA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321845Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:11.506{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-D03B-6026-D92F-00000000A301}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321844Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:11.506{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321843Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:11.506{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321842Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:11.506{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321841Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:11.506{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321840Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:11.506{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-D03B-6026-D92F-00000000A301}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321839Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:11.506{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-D03B-6026-D92F-00000000A301}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321838Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:11.506{6A74A0F8-D03B-6026-D92F-00000000A301}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000321852Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:12.599{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DC38F31A8B546DC04465F98EFD4B9F,SHA256=C541827C45B56AB7A21741309794BD14223662328D7AFDE9CBFE1832621BB45F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321851Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:12.324{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52959-false10.0.1.12-8000- 354300x8000000000000000321850Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:12.044{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52958-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x8000000000000000321849Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:12.044{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52958-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 23542300x8000000000000000321853Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:13.631{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42F1E8786330A71AD4AA6E023EDD352,SHA256=C9F16548B110923FA209C4B56619CB7DFB3D0405C7F55B2A08868ABBABA0FC43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321871Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.771{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-D03E-6026-DB2F-00000000A301}7700C:\Temp\notregsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321870Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.771{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321869Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.771{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321868Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.771{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321867Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.771{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321866Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.771{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-D03E-6026-DB2F-00000000A301}7700C:\Temp\notregsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321865Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.771{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-D03E-6026-DB2F-00000000A301}7700C:\Temp\notregsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000321864Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.780{6A74A0F8-D03E-6026-DB2F-00000000A301}7700C:\Temp\notregsvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exe"C:\Temp\notregsvcs.exe" C:\Users\Administrator\Downloads\netconn.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000321863Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.662{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D2A87D2B4EBCB458EEED1565CFC8B2,SHA256=60A50A2929ED36C54F6C1E75C8DDE0689EDA15B7C399F310A1387FB2556CCE5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321862Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.631{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AD3AD07CEBDB7CEA1E3718FD6EF494F8,SHA256=6C16E0275540488E9BBDCC5A16367B1A1787463C3F5CFA829C624D6670CE6ACA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321861Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.334{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-D03E-6026-DA2F-00000000A301}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321860Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.334{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321859Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.334{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321858Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.334{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321857Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.334{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321856Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.334{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-D03E-6026-DA2F-00000000A301}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321855Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.334{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-D03E-6026-DA2F-00000000A301}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321854Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:14.334{6A74A0F8-D03E-6026-DA2F-00000000A301}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000321894Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.849{6A74A0F8-D03F-6026-DD2F-00000000A301}68445832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321893Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.787{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D8DDE8FB213D184EE3B5F13426DEF125,SHA256=7F29D59EE44EFCDC3F0ECE37350D563A1616499283E657B2C3C9FDB6BFED4087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321892Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.693{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA221CDFF97D791C787A5F3F1ED8908A,SHA256=07F5A6A6736FD8C9F0E8A8C7BE9AFEC5BCC3C925C4A8484D5C56EB49BB18667F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321891Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.693{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-D03F-6026-DD2F-00000000A301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321890Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.693{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321889Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.693{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321888Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.693{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321887Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.693{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321886Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.693{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-D03F-6026-DD2F-00000000A301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321885Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.693{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-D03F-6026-DD2F-00000000A301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321884Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.694{6A74A0F8-D03F-6026-DD2F-00000000A301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000321883Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.177{6A74A0F8-D03F-6026-DC2F-00000000A301}73607828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321882Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.019{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-D03E-6026-DB2F-00000000A301}7700C:\Temp\notregsvcs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321881Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.019{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-D03E-6026-DB2F-00000000A301}7700C:\Temp\notregsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321880Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.014{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-D03F-6026-DC2F-00000000A301}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321879Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.012{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321878Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.012{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321877Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.012{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321876Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.011{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321875Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.011{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-D03F-6026-DC2F-00000000A301}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321874Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.011{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-D03F-6026-DC2F-00000000A301}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321873Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.006{6A74A0F8-D03F-6026-DC2F-00000000A301}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000321872Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:15.008{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-D03E-6026-DB2F-00000000A301}7700C:\Temp\notregsvcs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321908Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:16.755{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D92379B8FA416DD1E023E0428922882,SHA256=E70C797A0EE624EEDA569C1FF777C52034FFA07505B45703C060F1D28B15F186,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321907Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:16.519{6A74A0F8-D040-6026-DE2F-00000000A301}77361696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321906Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:16.365{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-D040-6026-DE2F-00000000A301}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321905Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:16.365{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321904Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:16.365{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321903Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:16.365{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321902Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:16.365{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321901Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:16.365{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-D040-6026-DE2F-00000000A301}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321900Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:16.365{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-D040-6026-DE2F-00000000A301}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321899Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:16.366{6A74A0F8-D040-6026-DE2F-00000000A301}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000321898Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localT1122SetValue2021-02-12 19:00:16.119{6A74A0F8-D03E-6026-DB2F-00000000A301}7700C:\Temp\notregsvcs.exeHKCR\WOW6432Node\CLSID\{701F1B61-77A1-3F20-8968-E41B6B14B2C2}\InprocServer32\(Default)mscoree.dll 10341000x8000000000000000321897Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:16.119{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-D03E-6026-DB2F-00000000A301}7700C:\Temp\notregsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000321896Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:16.099{6A74A0F8-730C-6025-1000-00000000A301}11722084C:\Windows\system32\svchost.exe{6A74A0F8-D03E-6026-DB2F-00000000A301}7700C:\Temp\notregsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000321895Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:16.099{6A74A0F8-B03D-6026-B92B-00000000A301}41087456C:\Windows\system32\dllhost.exe{6A74A0F8-D03E-6026-DB2F-00000000A301}7700C:\Temp\notregsvcs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\COMSVCS.DLL+15400|C:\Windows\system32\COMSVCS.DLL+8c3e|C:\Windows\system32\COMSVCS.DLL+6b650|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 23542300x8000000000000000321929Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.771{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C55F50E7B327DC67E3DF5116CC628D,SHA256=C00BD5E4A9198A1562771F76D23D746763535F265E332F2FB83450FA94EEC86B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321928Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.717{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-D041-6026-E02F-00000000A301}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321927Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.715{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321926Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.715{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321925Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.715{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321924Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.715{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321923Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.715{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-D041-6026-E02F-00000000A301}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321922Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.714{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-D041-6026-E02F-00000000A301}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321921Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.709{6A74A0F8-D041-6026-E02F-00000000A301}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000321920Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.403{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52961-false10.0.1.12-8000- 354300x8000000000000000321919Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.324{6A74A0F8-D03E-6026-DB2F-00000000A301}7700C:\Temp\notregsvcs.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-444.attackrange.local52960-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x8000000000000000321918Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.193{6A74A0F8-D041-6026-DF2F-00000000A301}75041064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000321917Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:16.238{6A74A0F8-D03E-6026-DB2F-00000000A301}7700WIN-DC-444010.0.1.14;C:\Temp\notregsvcs.exe 10341000x8000000000000000321916Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.037{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-D041-6026-DF2F-00000000A301}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321915Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.037{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321914Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.037{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321913Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.037{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321912Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.037{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321911Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.037{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-D041-6026-DF2F-00000000A301}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321910Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.037{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-D041-6026-DF2F-00000000A301}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321909Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:17.038{6A74A0F8-D041-6026-DF2F-00000000A301}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000321931Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:18.834{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000321930Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:18.771{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB6EAC5A007DC448033C3E4408375A8,SHA256=4884DFB0A9ACE0A97A05E366F58A4A85DD88A1C319E080DF07127315BBADE20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321937Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:19.849{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4E11F60DCE712A7F6E58E557DCE5D87,SHA256=B9F02719E83C196BF613C2DD055A468188526C0B9E460F744D7D4E16359733DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321936Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:19.849{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC31C74C64322A64ACD54B87E2E1F4AA,SHA256=A2329F8FE72BA3CA3ACA4EAF8965FD6E6D7008F845A611CF7434A06AE67FF366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321935Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:19.802{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F13300DA5E49C125400845C7D39E4B,SHA256=4696CDBC00C89B339A9FE4E9630F5C640F4A4BB1ADF4CC92B85DC35C988A394C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321934Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:19.512{6A74A0F8-730C-6025-1600-00000000A301}15324300C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321933Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:19.512{6A74A0F8-730C-6025-1600-00000000A301}15324300C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321932Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:19.011{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=756BA51692140AFFAFA52940F5A9C63E,SHA256=270B22272767CA697B54E3F30304B8D400877470A70173BF19EBEC3C700C4AD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321940Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:20.029{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52962-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local445microsoft-ds 354300x8000000000000000321939Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:20.028{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52962-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local445microsoft-ds 23542300x8000000000000000321938Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:20.833{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C434C049D9BEDAAF537FF330B40B49AB,SHA256=5A1CE6DACE231FC782A5C1A685254C3C81FB568C7E94ECB67EEA82F9661D9E28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321941Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:21.833{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0826BAB144BA4806313542074970EA22,SHA256=B7CE59A4CFB5A0A4F7DB6A83E0A4F4C358A82D96CE99D4B44914D3CC44144F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321942Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:22.880{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A53CA3A6E17A61D66FB0004A3AECFA3,SHA256=1FEF096096FD67D4DAFA2ACECDF3FBAE31020FF7E7C9F1042841C7DD40D5088E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321944Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:23.278{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52963-false10.0.1.12-8000- 23542300x8000000000000000321943Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:23.896{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9FA9F8CA9FB5D4351300B28203ACBA,SHA256=EE5153594A6DAE2FE6F14719B049627C2CDB2D093B14DB654BF8208987E708F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321956Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:24.919{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3A4D4478255DE689BA73BE5F3271E0,SHA256=07E1BB2B120DF294A63432592EA2FDF23DB6089C50D5C01A0AC095DD8D816121,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000321955Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localT1122SetValue2021-02-12 19:00:24.552{6A74A0F8-D048-6026-E12F-00000000A301}944C:\Temp\notregasm.exeHKCR\WOW6432Node\CLSID\{701F1B61-77A1-3F20-8968-E41B6B14B2C2}\InprocServer32\(Default)mscoree.dll 10341000x8000000000000000321954Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:24.537{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-D048-6026-E12F-00000000A301}944C:\Temp\notregasm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321953Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:24.537{6A74A0F8-730A-6025-0B00-00000000A301}8606616C:\Windows\system32\lsass.exe{6A74A0F8-D048-6026-E12F-00000000A301}944C:\Temp\notregasm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321952Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:24.508{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-D048-6026-E12F-00000000A301}944C:\Temp\notregasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321951Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:24.490{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321950Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:24.490{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321949Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:24.490{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321948Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:24.490{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321947Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:24.490{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-D048-6026-E12F-00000000A301}944C:\Temp\notregasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321946Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:24.490{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-D048-6026-E12F-00000000A301}944C:\Temp\notregasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x8000000000000000321945Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:24.502{6A74A0F8-D048-6026-E12F-00000000A301}944C:\Temp\notregasm.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Assembly Registration UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegAsm.exe"C:\Temp\notregasm.exe" C:\Users\Administrator\Downloads\netconn.dllC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=F9962526636C4082079C16F5CBD18A21,SHA256=193D0E779528278A422C64E94D9D8AC623FCB1323038D33D2B820EAD608EF515,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000321959Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:25.943{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F97EF19A8396A1F5CEEC02EB209EC71,SHA256=1FF8714FA288E8356C8CDBADA8E8729BB0445DAF7085C98A35DE286EC8227D0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321958Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:25.762{6A74A0F8-D048-6026-E12F-00000000A301}944C:\Temp\notregasm.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-444.attackrange.local52964-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000321957Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:25.508{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CFB1FCB761D3E190EED6DE4F003DDAB5,SHA256=779E4F1676DB2407B080B27E6D4242FAFFE82C0388210D9A6313989BE9E6F0DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321960Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:26.974{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038ECDB4CA6B0464DF0726F998A0FED6,SHA256=B4EA2274F445550E9ADF73D813C531E89EF0F1BA47FD3A314F9141D718730A76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321962Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:28.402{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52965-false10.0.1.12-8000- 23542300x8000000000000000321961Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:28.036{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD64E8EF1C21B7C2133ACE560F34F90B,SHA256=82E46004CD3B6BEC64FE880632E3079F78E7A0817DA042656A05A3F27169C4B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321964Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:29.896{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4B0A92E66E2AC6B3875FAE30EC385B8F,SHA256=2AB1E6F78F92E128E1FC00259334D44AC495B218B735771CD34AC9205C02512C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321963Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:29.036{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FFD7A40AB440DB421313663B0A40A8,SHA256=16B4309DD1199FBE1B8D28061B165B44CDFF1880F0B04FE68F7F6FA13130B1C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321970Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:30.599{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EB6BB01D8905BE2D8E2C93D6C8C2814,SHA256=8EB7D8EC9C75C3F3301DC21F4E313BBD4909AD9AAB0C5BC84057BA91088FE87D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321969Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:30.599{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4E11F60DCE712A7F6E58E557DCE5D87,SHA256=B9F02719E83C196BF613C2DD055A468188526C0B9E460F744D7D4E16359733DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321968Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:30.474{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321967Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:30.474{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321966Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:30.474{6A74A0F8-730C-6025-0C00-00000000A301}6086036C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321965Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:30.036{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64BA4C263A344F9096CF4CDE63C36E5,SHA256=C7B1FC954F6D2F454EB5732B8D7476CF5002ABA410B5E0E479FB84CF970E2262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321971Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:31.068{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428492AEA619B3C35ED624CD986D0B87,SHA256=B46F57BDE0668DE60B08EE6FD4183FC0FD2BAF93B8CCCF6FCD582A5AA7703119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321972Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:32.099{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571F9D30DE35A463A4AFD434D3592189,SHA256=FC93AB3B00EA52BD1CD4EC82DFE759A093A6E0193212322354C95F291B7E4494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321973Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:33.118{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6173D94060D3AF42784C4B4E38996E,SHA256=8657B12329602BD4538796C4A39BEE6015C6006A1C43245C481DC39D348D33CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321974Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:34.130{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003B2E9AD525322939BC10B60CE1EA55,SHA256=CD46C66424C5E2BC6228B2187E536D12496A1CD5592B9F50F4D320135E2DADC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321976Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:34.246{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52966-false10.0.1.12-8000- 23542300x8000000000000000321975Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:35.146{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B65A6436508369ADDF2960FCF90637F,SHA256=0DB47CBE2EE00BFA95FC03A087CBEE190F918FF2C43C35E83F52759EEB3F193A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321977Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:36.161{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C2536B5225B79D456B72EC3B098BE25,SHA256=CEC0A2070F22C273F08E063B0111A714480EB1B68D7F625795D1A4968B950D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321978Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:37.161{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F929FCCF01600C68D114D38140F8E46,SHA256=62B578766BBE715B021DDC5A4D90A5C8A5FE54A5DDE3D83A358399FE49FA9452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321979Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-12 19:00:38.271{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EED3B033B713F5D0617ADB625CC1E20,SHA256=648F94079A6D35405ADEDCD15795E244E2A58C6CC4944FC7875D1FD66DFC64A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002098660Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:09.953{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FC5BA18F6322E00469FDE7994F8CB682,SHA256=5F13C04BB70AB3B46ED13B1522C2B3B43C50B30EFEC6A9F4548E52E2A7D08EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002098659Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:09.833{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D703FC2DFD2C2AD745EF9923FDB49B,SHA256=DA37E127246395806F7E6CE79AB6F2EACDEDB74F55CD63A526A0A23F4721B785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002098658Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:09.515{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D53AD19CA14F7AB235861AE232D908BA,SHA256=C417B67C2ACA43317AE72504AA04DCC1DF8DE68874CA661B0ABDF38C36765539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002098657Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:09.062{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E8CB454ED422F319EEE839BA2539A9,SHA256=C55B1CB13D28B96C2D33586377C022FE30DD9AB46995CADFB5CE0B10900F5BA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002098656Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:09.015{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B8-602C-C7CC-00000000A301}4316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098655Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:09.000{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C6CC-00000000A301}5780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098654Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:09.000{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C5CC-00000000A301}7764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098653Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:09.000{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098652Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:09.000{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098651Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:09.000{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098650Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:09.000{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-C2B5-6026-032E-00000000A301}7940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002098727Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.984{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB9770A91A42FABDEF3A7DD375AC3018,SHA256=2F3A80996F027C7A4FEDFC8D7940AE5B84585B98168DD7C541266F90C5FD6A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002098726Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.859{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7D17FA65DF9A5089D1454A85AF4AF3,SHA256=CA009CBDEDEE2FB7978DDB893518BC9FEEFF7B347498E4EBE66498FA9C9C0B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002098725Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.537{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=53880F2E99E57010118A261920C17974,SHA256=D05B0590FFEC0C6DCBA5FC4DCB131AA24E8831C403732CC78836F61D6783695A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002098724Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.078{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2C2B07B96B0469BD622765F5FFD37E,SHA256=F4A7F3E63AF2E5B3A181EFF62FC98A9FB4CF9DA2624926F454A7C49611D6CC69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002098723Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B8-602C-C7CC-00000000A301}4316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098722Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C6CC-00000000A301}5780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098721Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C5CC-00000000A301}7764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098720Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098719Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098718Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098717Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-C2B5-6026-032E-00000000A301}7940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098716Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098715Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098714Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098713Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D62B-00000000A301}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098712Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D52B-00000000A301}4252C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098711Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098710Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D32B-00000000A301}4904C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098709Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098708Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098707Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B03D-6026-B92B-00000000A301}4108C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098706Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2A02-00000000A301}3876C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098705Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2702-00000000A301}864C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098704Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743C-6025-1F02-00000000A301}4820C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098703Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1C02-00000000A301}1288C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098702Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1B02-00000000A301}2316C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098701Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7399-6025-0502-00000000A301}2748C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098700Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-738D-6025-0202-00000000A301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098699Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098698Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CF01-00000000A301}3928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098697Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098696Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5300-00000000A301}3660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098695Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5000-00000000A301}3712C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098694Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2E00-00000000A301}3184C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098693Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2C00-00000000A301}2772C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098692Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2B00-00000000A301}2204C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098691Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098690Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098689Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098688Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098687Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2500-00000000A301}2908C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098686Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098685Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2300-00000000A301}2892C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098684Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.037{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2200-00000000A301}2884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098683Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.036{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2100-00000000A301}2808C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098682Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.036{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7316-6025-1F00-00000000A301}2660C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098681Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.036{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730D-6025-1D00-00000000A301}2304C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098680Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.036{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098679Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.036{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1700-00000000A301}1652C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098678Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.036{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098677Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.035{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098676Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.035{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1300-00000000A301}1276C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098675Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.035{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098674Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.035{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1100-00000000A301}1168C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098673Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.035{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098672Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.034{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0F00-00000000A301}1120C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098671Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.034{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0E00-00000000A301}1088C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098670Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.034{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098669Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.034{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0C00-00000000A301}608C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098668Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.034{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098667Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.034{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0A00-00000000A301}848C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098666Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.033{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0900-00000000A301}804C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098665Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.033{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0800-00000000A301}720C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098664Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.033{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0700-00000000A301}712C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098663Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.033{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7309-6025-0500-00000000A301}640C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098662Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.032{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0200-00000000A301}448C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098661Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:10.032{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098799Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.968{6A74A0F8-E191-602B-02C8-00000000A301}64247828C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098798Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.968{6A74A0F8-E191-602B-02C8-00000000A301}64247828C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098797Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.968{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098796Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.968{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098795Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.968{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098794Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.968{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002098793Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.890{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A080A561E5B58CB93A74423C95F93B00,SHA256=983D056ECC4834701C5EAFBFCF714D818A0EBC91AF772C4A6E86A98BCAB837D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002098792Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.578{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=96DDD785F41E460E73021BE4511E24A3,SHA256=60989718EF3E0EBBFA1D48D31038595099AEB1BD14EA970E853E20E86B473318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002098791Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.127{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8243D6D28CFEECFE0451766B607D49,SHA256=3E6BFA7A63F024BC233DBB6D4042386DB2462F2D070DC276BE40990C45C2F4B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002098790Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B8-602C-C7CC-00000000A301}4316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098789Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C6CC-00000000A301}5780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098788Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C5CC-00000000A301}7764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098787Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098786Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098785Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098784Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-C2B5-6026-032E-00000000A301}7940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098783Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098782Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098781Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098780Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D62B-00000000A301}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098779Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D52B-00000000A301}4252C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098778Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098777Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D32B-00000000A301}4904C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098776Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098775Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098774Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B03D-6026-B92B-00000000A301}4108C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098773Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2A02-00000000A301}3876C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098772Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2702-00000000A301}864C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098771Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743C-6025-1F02-00000000A301}4820C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098770Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1C02-00000000A301}1288C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098769Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1B02-00000000A301}2316C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098768Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7399-6025-0502-00000000A301}2748C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098767Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-738D-6025-0202-00000000A301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098766Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098765Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CF01-00000000A301}3928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098764Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098763Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5300-00000000A301}3660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098762Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5000-00000000A301}3712C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098761Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2E00-00000000A301}3184C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098760Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2C00-00000000A301}2772C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098759Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2B00-00000000A301}2204C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098758Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098757Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098756Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098755Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098754Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2500-00000000A301}2908C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098753Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098752Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2300-00000000A301}2892C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098751Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2200-00000000A301}2884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098750Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2100-00000000A301}2808C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098749Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7316-6025-1F00-00000000A301}2660C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098748Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730D-6025-1D00-00000000A301}2304C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098747Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1700-00000000A301}1652C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098746Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098745Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098744Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098743Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1300-00000000A301}1276C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098742Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098741Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1100-00000000A301}1168C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098740Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098739Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0F00-00000000A301}1120C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098738Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0E00-00000000A301}1088C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098737Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098736Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0C00-00000000A301}608C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098735Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098734Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0A00-00000000A301}848C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098733Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0900-00000000A301}804C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098732Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0800-00000000A301}720C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098731Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0700-00000000A301}712C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098730Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7309-6025-0500-00000000A301}640C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098729Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0200-00000000A301}448C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098728Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:11.047{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002098875Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.906{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF39697A47A8E9F2AC819C0B6E736B62,SHA256=F703F44D3B14667E1BE6DFACE4763C36061B486E1D2DE5CBF1E2B7F528991936,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002098874Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.765{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-0700-602C-CFCC-00000000A301}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098873Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.765{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098872Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.765{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098871Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.765{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098870Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.765{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098869Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.765{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-0700-602C-CFCC-00000000A301}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002098868Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.765{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-0700-602C-CFCC-00000000A301}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002098867Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.751{6A74A0F8-0700-602C-CFCC-00000000A301}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002098866Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.687{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8D1B7753B323462D96525E8DD9C30E60,SHA256=BEF8997B0401814C09E132001CBBDAA864C71915B3211BB047F54514425F654D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002098865Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.134{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52505-false10.0.1.12-8000- 23542300x80000000000000002098864Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.109{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE44D1D0F171A66D2994F7A461FDE660,SHA256=E8935E13BAAD0405A06447244A761E8AC565EE6040A01554F98EDC4843D0F812,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002098863Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B8-602C-C7CC-00000000A301}4316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098862Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C6CC-00000000A301}5780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098861Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C5CC-00000000A301}7764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098860Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098859Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098858Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098857Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-C2B5-6026-032E-00000000A301}7940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098856Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098855Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098854Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098853Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D62B-00000000A301}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098852Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D52B-00000000A301}4252C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098851Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098850Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D32B-00000000A301}4904C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098849Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098848Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098847Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B03D-6026-B92B-00000000A301}4108C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098846Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2A02-00000000A301}3876C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098845Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2702-00000000A301}864C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098844Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743C-6025-1F02-00000000A301}4820C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098843Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1C02-00000000A301}1288C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098842Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1B02-00000000A301}2316C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098841Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7399-6025-0502-00000000A301}2748C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098840Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-738D-6025-0202-00000000A301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098839Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098838Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CF01-00000000A301}3928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098837Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098836Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5300-00000000A301}3660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098835Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5000-00000000A301}3712C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098834Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2E00-00000000A301}3184C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098833Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2C00-00000000A301}2772C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098832Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2B00-00000000A301}2204C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098831Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098830Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098829Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098828Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098827Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2500-00000000A301}2908C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098826Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098825Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2300-00000000A301}2892C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098824Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2200-00000000A301}2884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098823Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2100-00000000A301}2808C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098822Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7316-6025-1F00-00000000A301}2660C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098821Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730D-6025-1D00-00000000A301}2304C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098820Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1700-00000000A301}1652C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098819Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098818Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098817Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098816Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1300-00000000A301}1276C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098815Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098814Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1100-00000000A301}1168C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098813Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098812Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0F00-00000000A301}1120C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098811Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0E00-00000000A301}1088C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098810Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098809Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0C00-00000000A301}608C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098808Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098807Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0A00-00000000A301}848C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098806Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0900-00000000A301}804C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098805Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0800-00000000A301}720C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098804Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0700-00000000A301}712C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098803Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7309-6025-0500-00000000A301}640C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098802Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0200-00000000A301}448C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098801Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.062{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002098800Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:12.037{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=89447854DF4C50B3DAF3A4BE0845B0BA,SHA256=BFA4A16FD25368F35C5672094835DB998C583F03E4578210980519051B1F1E29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002098950Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.937{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-0701-602C-D0CC-00000000A301}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098949Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.937{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098948Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.937{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098947Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.937{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098946Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.937{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098945Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.937{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-0701-602C-D0CC-00000000A301}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002098944Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.937{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-0701-602C-D0CC-00000000A301}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002098943Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.922{6A74A0F8-0701-602C-D0CC-00000000A301}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002098942Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.926{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990C1584C1F55A0395128C157EEBEC69,SHA256=B184CA794F9E4E2343CD67A384916AABB3F932ADF41D51CEEDE872A6710DA853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002098941Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.837{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F36C2DA47A41A2EA985A887D25602746,SHA256=61BE2EA6A7EE18CF9E36DE8AF7A713E1FBA6D951AB6CD229FA0A5F0B183EB37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002098940Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.156{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C9C3E4DA53E535FE85581EA7AC998E3C,SHA256=70794763CF83E5E90083C3025B0C34AA13E4CD0429E2CBA9E519C86A80E4CEC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002098939Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.156{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60EE3B9ED6C4640B3DD0E67D014DD26,SHA256=48A6D65622FAB22925CC1700A2D7F7477670C90BE8E8ECF51F89BEDAC59B377F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002098938Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B8-602C-C7CC-00000000A301}4316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098937Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C6CC-00000000A301}5780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098936Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C5CC-00000000A301}7764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098935Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098934Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098933Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098932Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-C2B5-6026-032E-00000000A301}7940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098931Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098930Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098929Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098928Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D62B-00000000A301}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098927Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D52B-00000000A301}4252C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098926Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098925Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D32B-00000000A301}4904C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098924Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098923Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098922Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B03D-6026-B92B-00000000A301}4108C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098921Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2A02-00000000A301}3876C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098920Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2702-00000000A301}864C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098919Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743C-6025-1F02-00000000A301}4820C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098918Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1C02-00000000A301}1288C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098917Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1B02-00000000A301}2316C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098916Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7399-6025-0502-00000000A301}2748C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098915Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-738D-6025-0202-00000000A301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098914Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098913Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CF01-00000000A301}3928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098912Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098911Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5300-00000000A301}3660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098910Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5000-00000000A301}3712C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098909Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2E00-00000000A301}3184C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098908Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2C00-00000000A301}2772C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098907Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2B00-00000000A301}2204C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098906Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098905Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098904Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098903Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098902Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2500-00000000A301}2908C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098901Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098900Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2300-00000000A301}2892C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098899Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2200-00000000A301}2884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098898Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2100-00000000A301}2808C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098897Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7316-6025-1F00-00000000A301}2660C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098896Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730D-6025-1D00-00000000A301}2304C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098895Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1700-00000000A301}1652C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098894Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098893Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098892Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098891Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1300-00000000A301}1276C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098890Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098889Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1100-00000000A301}1168C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098888Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098887Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0F00-00000000A301}1120C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098886Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0E00-00000000A301}1088C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098885Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098884Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0C00-00000000A301}608C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098883Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098882Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0A00-00000000A301}848C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098881Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0900-00000000A301}804C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098880Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0800-00000000A301}720C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098879Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0700-00000000A301}712C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098878Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7309-6025-0500-00000000A301}640C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098877Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0200-00000000A301}448C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098876Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:13.078{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099033Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.968{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB230FA03C7822B5377A3EBA84D203D,SHA256=B58347775C281BDD23FC9751E71DB979785F569820AFB3120C01F47FBDF3623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099032Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.875{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=81B2A0C0E35D798CB0BB13E530A166F8,SHA256=8F83C34302ACD4A94A07EE949FD5176B7A66FB4D592BCF838F8C2839C9A5B9A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099031Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.875{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099030Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.672{6A74A0F8-0702-602C-D1CC-00000000A301}65687936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099029Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.515{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-0702-602C-D1CC-00000000A301}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099028Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.515{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099027Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.515{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099026Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.515{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099025Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.515{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099024Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.515{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-0702-602C-D1CC-00000000A301}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099023Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.515{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-0702-602C-D1CC-00000000A301}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002099022Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.501{6A74A0F8-0702-602C-D1CC-00000000A301}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002099021Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.312{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C64E9ACC228905339FB0D08096245C8,SHA256=787CFC4CDED5E489537305BBB0086851C780E6C01B752D14487D194AD49C7855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099020Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.312{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A742A29EA681CE1427A5E1291AB6B707,SHA256=CE0EEEBE735DE0D4001128041DA10061692170B96EB7813C7328301A422162EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099019Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.297{6A74A0F8-E191-602B-02C8-00000000A301}64247828C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099018Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.281{6A74A0F8-E191-602B-02C8-00000000A301}64247828C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099017Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.281{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099016Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.281{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099015Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.281{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099014Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.281{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099013Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.109{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B8-602C-C7CC-00000000A301}4316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099012Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.109{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C6CC-00000000A301}5780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099011Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.109{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C5CC-00000000A301}7764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099010Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099009Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099008Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099007Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-C2B5-6026-032E-00000000A301}7940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099006Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099005Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099004Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099003Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D62B-00000000A301}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099002Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D52B-00000000A301}4252C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099001Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099000Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D32B-00000000A301}4904C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098999Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098998Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098997Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B03D-6026-B92B-00000000A301}4108C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098996Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2A02-00000000A301}3876C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098995Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2702-00000000A301}864C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098994Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743C-6025-1F02-00000000A301}4820C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098993Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1C02-00000000A301}1288C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098992Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1B02-00000000A301}2316C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098991Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7399-6025-0502-00000000A301}2748C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098990Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-738D-6025-0202-00000000A301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098989Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098988Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CF01-00000000A301}3928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098987Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098986Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5300-00000000A301}3660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098985Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5000-00000000A301}3712C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098984Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2E00-00000000A301}3184C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098983Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2C00-00000000A301}2772C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098982Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2B00-00000000A301}2204C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098981Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098980Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098979Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098978Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098977Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2500-00000000A301}2908C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098976Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2300-00000000A301}2892C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098975Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098974Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2200-00000000A301}2884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098973Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2100-00000000A301}2808C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098972Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7316-6025-1F00-00000000A301}2660C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098971Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730D-6025-1D00-00000000A301}2304C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098970Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1700-00000000A301}1652C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098969Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098968Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098967Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098966Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1300-00000000A301}1276C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098965Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098964Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1100-00000000A301}1168C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098963Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098962Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0F00-00000000A301}1120C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098961Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0E00-00000000A301}1088C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098960Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098959Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0C00-00000000A301}608C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098958Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098957Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0A00-00000000A301}848C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098956Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0900-00000000A301}804C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098955Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0800-00000000A301}720C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098954Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0700-00000000A301}712C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098953Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7309-6025-0500-00000000A301}640C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098952Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0200-00000000A301}448C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098951Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:14.093{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099116Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.890{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7B9F0583D3A48B65DE130761AF65BCD8,SHA256=F1CDBBFC3814EE284B6FB7A4362E443F2E26F340341873E5AD0FA45F3B93AAEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099115Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.890{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-0703-602C-D3CC-00000000A301}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099114Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.890{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099113Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.890{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099112Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.890{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099111Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.890{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099110Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.890{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-0703-602C-D3CC-00000000A301}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099109Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.890{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-0703-602C-D3CC-00000000A301}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002099108Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.876{6A74A0F8-0703-602C-D3CC-00000000A301}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002099107Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.359{6A74A0F8-0703-602C-D2CC-00000000A301}58927772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099106Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.332{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D0083266D888F0FB5387D512A053BBB2,SHA256=7CD3983A81BA183F4C4512EB858AAD5BE584B04D13695D113947B6039962FD3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099105Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.203{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEBA038014E12915AD92C87D8CDFB9D,SHA256=EDBC3B62013E9F739AE163149BFE28E98C3EA08046D6D312FDF75E0A3CE39F6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099104Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.203{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-0703-602C-D2CC-00000000A301}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099103Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.203{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099102Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.203{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099101Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.203{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099100Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.203{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099099Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.203{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-0703-602C-D2CC-00000000A301}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099098Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.203{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-0703-602C-D2CC-00000000A301}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002099097Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.188{6A74A0F8-0703-602C-D2CC-00000000A301}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002099096Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B8-602C-C7CC-00000000A301}4316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099095Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C6CC-00000000A301}5780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099094Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C5CC-00000000A301}7764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099093Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099092Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099091Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-C2B5-6026-032E-00000000A301}7940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099090Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099089Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099088Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099087Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099086Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D62B-00000000A301}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099085Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D52B-00000000A301}4252C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099084Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099083Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D32B-00000000A301}4904C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099082Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099081Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099080Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B03D-6026-B92B-00000000A301}4108C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099079Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.137{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2A02-00000000A301}3876C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099078Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.136{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2702-00000000A301}864C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099077Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.136{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743C-6025-1F02-00000000A301}4820C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099076Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.135{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1C02-00000000A301}1288C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099075Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.135{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1B02-00000000A301}2316C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099074Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.135{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7399-6025-0502-00000000A301}2748C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099073Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.134{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-738D-6025-0202-00000000A301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099072Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.134{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099071Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.134{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CF01-00000000A301}3928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099070Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.133{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099069Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.133{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5300-00000000A301}3660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099068Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.133{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5000-00000000A301}3712C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099067Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.133{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2E00-00000000A301}3184C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099066Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.133{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2C00-00000000A301}2772C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099065Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.133{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2B00-00000000A301}2204C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099064Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.132{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099063Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.132{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099062Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.132{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099061Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.131{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099060Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.131{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2500-00000000A301}2908C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099059Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.130{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099058Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.130{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2300-00000000A301}2892C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099057Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.130{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2200-00000000A301}2884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099056Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.130{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2100-00000000A301}2808C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099055Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.130{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7316-6025-1F00-00000000A301}2660C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099054Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.130{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730D-6025-1D00-00000000A301}2304C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099053Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.129{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1700-00000000A301}1652C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099052Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.129{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099051Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.129{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099050Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.129{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099049Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.129{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1300-00000000A301}1276C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099048Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.128{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099047Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.128{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1100-00000000A301}1168C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099046Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.128{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099045Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.128{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0F00-00000000A301}1120C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099044Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.128{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0E00-00000000A301}1088C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099043Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.127{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099042Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.127{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0C00-00000000A301}608C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099041Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.127{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099040Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.127{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0A00-00000000A301}848C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099039Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.126{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0900-00000000A301}804C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099038Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.126{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0800-00000000A301}720C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099037Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.126{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0700-00000000A301}712C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099036Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.126{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7309-6025-0500-00000000A301}640C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099035Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.126{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0200-00000000A301}448C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099034Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:15.126{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099191Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.425{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-0704-602C-D4CC-00000000A301}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099190Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.423{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099189Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.423{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099188Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.422{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099187Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.422{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099186Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.422{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-0704-602C-D4CC-00000000A301}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099185Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.422{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-0704-602C-D4CC-00000000A301}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002099184Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.407{6A74A0F8-0704-602C-D4CC-00000000A301}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002099183Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.359{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6AF9A1E7A4565E77CC79981E0CCD7920,SHA256=CB5E3BFE553BC7B9DE3802A2388E0F2D23EB70D032E3EFAA8C5B65F3EB18CDEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099182Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.203{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5D836430288F728586A819D37AC785,SHA256=9309BB402001053DEF53CF17DEDB98303BAAB3979729FF1E31D5AA827D52563D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099181Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.171{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A3BFDE266F8CB41A325BCEA732CF8D,SHA256=40589722F038D2087A81CBE29F16E6141D04398DE435C28E101CBA89481DD243,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099180Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B8-602C-C7CC-00000000A301}4316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099179Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C6CC-00000000A301}5780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099178Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C5CC-00000000A301}7764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099177Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099176Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099175Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099174Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-C2B5-6026-032E-00000000A301}7940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099173Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099172Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099171Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099170Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D62B-00000000A301}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099169Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D52B-00000000A301}4252C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099168Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099167Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D32B-00000000A301}4904C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099166Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099165Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099164Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B03D-6026-B92B-00000000A301}4108C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099163Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2A02-00000000A301}3876C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099162Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2702-00000000A301}864C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099161Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743C-6025-1F02-00000000A301}4820C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099160Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1C02-00000000A301}1288C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099159Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1B02-00000000A301}2316C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099158Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7399-6025-0502-00000000A301}2748C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099157Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-738D-6025-0202-00000000A301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099156Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099155Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CF01-00000000A301}3928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099154Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099153Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5300-00000000A301}3660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099152Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5000-00000000A301}3712C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099151Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2E00-00000000A301}3184C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099150Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2C00-00000000A301}2772C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099149Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2B00-00000000A301}2204C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099148Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099147Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099146Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099145Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099144Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2500-00000000A301}2908C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099143Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099142Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2300-00000000A301}2892C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099141Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2200-00000000A301}2884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099140Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2100-00000000A301}2808C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099139Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7316-6025-1F00-00000000A301}2660C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099138Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730D-6025-1D00-00000000A301}2304C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099137Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1700-00000000A301}1652C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099136Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099135Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099134Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099133Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1300-00000000A301}1276C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099132Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099131Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1100-00000000A301}1168C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099130Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099129Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0F00-00000000A301}1120C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099128Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0E00-00000000A301}1088C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099127Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099126Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0C00-00000000A301}608C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099125Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099124Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0A00-00000000A301}848C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099123Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0900-00000000A301}804C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099122Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0800-00000000A301}720C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099121Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0700-00000000A301}712C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099120Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7309-6025-0500-00000000A301}640C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099119Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0200-00000000A301}448C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099118Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.156{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099117Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:16.046{6A74A0F8-0703-602C-D3CC-00000000A301}44007040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000002099422Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.256{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52506-false10.0.1.12-8000- 23542300x80000000000000002099421Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.630{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667576E8FAF5DB9DB1D85AEC918016C5,SHA256=0CFCC6FEBC4D8C95382E1D42C455762088327B2CC92A9E2590BFC37287A055BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099420Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.532{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B5CDB0680449687B01D1D6092DE0F02D,SHA256=0FB33BDED206C24DCF11C0C6FE0A54B4EEEBBFC146F3EBD830633D06603C63E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099419Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.532{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914CDDB4CA114817098EE4D3E21A9DF5,SHA256=24F8F6B0A80ECDDACF6121FFA6D48400FD28B4C9E11462DEE87DD7526478C535,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099418Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.265{6A74A0F8-0705-602C-D5CC-00000000A301}59766164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099417Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-0705-602C-D5CC-00000000A301}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+4e7ac|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+50417|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a22bb|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099416Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-0705-602C-D5CC-00000000A301}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+77951|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+77a03|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b2ca|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b1c9|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+6e587|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a22a8|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099415Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-0705-602C-D5CC-00000000A301}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a210b|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099414Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-0705-602C-D5CC-00000000A301}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\winsta.dll+1178|C:\Windows\SYSTEM32\winsta.dll+10b5|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+9d7f4|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a17fa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099413Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-0705-602C-D5CC-00000000A301}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a165c|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099412Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B8-602C-C7CC-00000000A301}4316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099411Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C6CC-00000000A301}5780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099410Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C5CC-00000000A301}7764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099409Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099408Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099407Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099406Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-C2B5-6026-032E-00000000A301}7940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099405Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099404Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099403Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099402Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D62B-00000000A301}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099401Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D52B-00000000A301}4252C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099400Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099399Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D32B-00000000A301}4904C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099398Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099397Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099396Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B03D-6026-B92B-00000000A301}4108C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099395Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2A02-00000000A301}3876C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099394Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2702-00000000A301}864C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099393Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743C-6025-1F02-00000000A301}4820C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099392Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1C02-00000000A301}1288C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099391Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1B02-00000000A301}2316C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099390Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7399-6025-0502-00000000A301}2748C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099389Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-738D-6025-0202-00000000A301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099388Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099387Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CF01-00000000A301}3928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099386Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099385Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5300-00000000A301}3660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099384Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5000-00000000A301}3712C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099383Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2E00-00000000A301}3184C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099382Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2C00-00000000A301}2772C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099381Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2B00-00000000A301}2204C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099380Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099379Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099378Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099377Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099376Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2500-00000000A301}2908C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099375Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-0705-602C-D5CC-00000000A301}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099374Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-0705-602C-D5CC-00000000A301}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099373Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B8-602C-C7CC-00000000A301}4316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099372Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B8-602C-C7CC-00000000A301}4316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099371Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C6CC-00000000A301}5780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099370Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C6CC-00000000A301}5780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099369Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C5CC-00000000A301}7764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099368Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C5CC-00000000A301}7764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099367Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099366Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099365Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099364Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099363Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099362Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099361Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-C2B5-6026-032E-00000000A301}7940C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099360Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-C2B5-6026-032E-00000000A301}7940C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099359Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099358Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099357Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099356Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099355Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099354Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099353Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D62B-00000000A301}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099352Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D62B-00000000A301}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099351Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D52B-00000000A301}4252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099350Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D52B-00000000A301}4252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099349Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099348Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099347Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D32B-00000000A301}4904C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099346Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D32B-00000000A301}4904C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099345Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099344Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099343Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099342Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099341Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B03D-6026-B92B-00000000A301}4108C:\Windows\system32\dllhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099340Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B03D-6026-B92B-00000000A301}4108C:\Windows\system32\dllhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099339Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2A02-00000000A301}3876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099338Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2A02-00000000A301}3876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099337Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2702-00000000A301}864C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099336Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2702-00000000A301}864C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099335Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743C-6025-1F02-00000000A301}4820C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099334Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743C-6025-1F02-00000000A301}4820C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099333Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1C02-00000000A301}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099332Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1C02-00000000A301}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099331Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7399-6025-0502-00000000A301}2748C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099330Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7399-6025-0502-00000000A301}2748C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099329Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-738D-6025-0202-00000000A301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099328Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-738D-6025-0202-00000000A301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099327Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099326Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099325Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CF01-00000000A301}3928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099324Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CF01-00000000A301}3928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099323Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099322Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099321Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5300-00000000A301}3660C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099320Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5300-00000000A301}3660C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099319Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5000-00000000A301}3712C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099318Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5000-00000000A301}3712C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099317Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2E00-00000000A301}3184C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099316Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2E00-00000000A301}3184C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099315Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2C00-00000000A301}2772C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099314Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2C00-00000000A301}2772C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099313Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2B00-00000000A301}2204C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099312Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2B00-00000000A301}2204C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099311Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099310Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099309Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099308Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099307Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099306Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099305Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099304Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.187{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099303Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2500-00000000A301}2908C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099302Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2500-00000000A301}2908C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099301Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099300Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099299Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2300-00000000A301}2892C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099298Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2300-00000000A301}2892C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099297Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2200-00000000A301}2884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099296Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2200-00000000A301}2884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099295Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2100-00000000A301}2808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099294Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2100-00000000A301}2808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099293Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7316-6025-1F00-00000000A301}2660C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099292Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7316-6025-1F00-00000000A301}2660C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099291Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730D-6025-1D00-00000000A301}2304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099290Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730D-6025-1D00-00000000A301}2304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099289Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1700-00000000A301}1652C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099288Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1700-00000000A301}1652C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099287Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099286Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099285Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099284Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099283Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099282Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099281Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1300-00000000A301}1276C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099280Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1300-00000000A301}1276C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099279Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099278Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099277Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1100-00000000A301}1168C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099276Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1100-00000000A301}1168C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099275Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099274Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099273Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0F00-00000000A301}1120C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099272Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0F00-00000000A301}1120C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099271Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0E00-00000000A301}1088C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099270Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0E00-00000000A301}1088C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099269Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099268Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099267Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0C00-00000000A301}608C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099266Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0C00-00000000A301}608C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099265Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099264Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099263Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0900-00000000A301}804C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099262Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0900-00000000A301}804C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+71d9d|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a1517|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099261Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099260Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2300-00000000A301}2892C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099259Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2200-00000000A301}2884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099258Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2100-00000000A301}2808C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099257Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7316-6025-1F00-00000000A301}2660C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099256Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730D-6025-1D00-00000000A301}2304C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099255Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1700-00000000A301}1652C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099254Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099253Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099252Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099251Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1300-00000000A301}1276C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099250Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099249Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1100-00000000A301}1168C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099248Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099247Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0F00-00000000A301}1120C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099246Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0E00-00000000A301}1088C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099245Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E191-602B-02C8-00000000A301}6424872C:\Windows\explorer.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a4660|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800978D48D8)|UNKNOWN(FFFFF99A23EB4998)|UNKNOWN(FFFFF99A23EB4B17)|UNKNOWN(FFFFF99A23EAF1A1)|UNKNOWN(FFFFF99A23EB0B6A)|UNKNOWN(FFFFF99A23EAEE26)|UNKNOWN(FFFFF800975EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000002099244Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099243Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E191-602B-02C8-00000000A301}6424872C:\Windows\explorer.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a4141|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800978D48D8)|UNKNOWN(FFFFF99A23EB4998)|UNKNOWN(FFFFF99A23EB4B17)|UNKNOWN(FFFFF99A23EAF1A1)|UNKNOWN(FFFFF99A23EB0B6A)|UNKNOWN(FFFFF99A23EAEE26)|UNKNOWN(FFFFF800975EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099242Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0C00-00000000A301}608C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099241Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099240Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0A00-00000000A301}848C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099239Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF19b2377f.TMPMD5=83D1AFAA8D0BB411E55056E5143B15D7,SHA256=C08B97D5CAEEEB6D77A5623B5198A7B8CFA5EFDB389F2615BBAD805E93020D10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099238Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0900-00000000A301}804C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099237Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0800-00000000A301}720C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099236Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0700-00000000A301}712C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099235Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7309-6025-0500-00000000A301}640C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099234Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0200-00000000A301}448C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099233Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.171{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099232Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-0705-602C-D5CC-00000000A301}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099231Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099230Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099229Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099228Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099227Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099226Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099225Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099224Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099223Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099222Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099221Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099220Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099219Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099218Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099217Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099216Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099215Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099214Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099213Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099212Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099211Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099210Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099209Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099208Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099207Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099206Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099205Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099204Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099203Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099202Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099201Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099200Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099199Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099198Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099197Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099196Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-730C-6025-0D00-00000000A301}988592C:\Windows\system32\svchost.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099195Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-0705-602C-D5CC-00000000A301}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099194Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.109{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-0705-602C-D5CC-00000000A301}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002099193Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.094{6A74A0F8-0705-602C-D5CC-00000000A301}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002099192Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:17.015{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=617928AD1FC3D63DE7E8EB8BE40050F6,SHA256=DBED731F9E7092F1D3A0C1138512B4659DB529CC7CCF3226DF1CFC4A58D8F2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099490Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.537{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85EF004EADBD811EF1A1ABA34B11FA99,SHA256=8329E53779EA8B718352815AB49787765098D2814CFEE38952798E892B737452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099489Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.537{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FE8814C17D20DE0CFBBC46F99A2A2D2B,SHA256=806785697E4E5C5AE8338B2C2842C76B33C3A02058882C5EC721E722C9DB98CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099488Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.296{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139E754EA16933BBB956F055516771C9,SHA256=13A1E787F12AE2AA3B8BEDC6816C21C0DC15F0886414550BBE0C8762CC3284AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099487Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.265{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A2E20DEF1745049E98A4F94FAFBEC7,SHA256=FDB7AA121D24E2AEAD5CC50633F8D16B758D7C7FD960396D85FEDAC290C0F13B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099486Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B8-602C-C7CC-00000000A301}4316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099485Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C6CC-00000000A301}5780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099484Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C5CC-00000000A301}7764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099483Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099482Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099481Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099480Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-C2B5-6026-032E-00000000A301}7940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099479Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099478Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099477Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099476Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D62B-00000000A301}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099475Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D52B-00000000A301}4252C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099474Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099473Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D32B-00000000A301}4904C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099472Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099471Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099470Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B03D-6026-B92B-00000000A301}4108C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099469Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2A02-00000000A301}3876C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099468Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2702-00000000A301}864C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099467Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743C-6025-1F02-00000000A301}4820C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099466Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1C02-00000000A301}1288C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099465Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1B02-00000000A301}2316C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099464Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7399-6025-0502-00000000A301}2748C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099463Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-738D-6025-0202-00000000A301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099462Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099461Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CF01-00000000A301}3928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099460Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099459Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5300-00000000A301}3660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099458Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5000-00000000A301}3712C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099457Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2E00-00000000A301}3184C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099456Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2C00-00000000A301}2772C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099455Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2B00-00000000A301}2204C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099454Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099453Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099452Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099451Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099450Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2500-00000000A301}2908C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099449Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099448Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2300-00000000A301}2892C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099447Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2200-00000000A301}2884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099446Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2100-00000000A301}2808C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099445Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7316-6025-1F00-00000000A301}2660C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099444Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730D-6025-1D00-00000000A301}2304C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099443Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1700-00000000A301}1652C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099442Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099441Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099440Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099439Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1300-00000000A301}1276C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099438Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099437Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1100-00000000A301}1168C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099436Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099435Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0F00-00000000A301}1120C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099434Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0E00-00000000A301}1088C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099433Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099432Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0C00-00000000A301}608C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099431Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099430Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0A00-00000000A301}848C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099429Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0900-00000000A301}804C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099428Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0800-00000000A301}720C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099427Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0700-00000000A301}712C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099426Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7309-6025-0500-00000000A301}640C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099425Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0200-00000000A301}448C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099424Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.203{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099423Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:18.046{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A213A0430376FCD4E6A3A4B2156E56B4,SHA256=0A8A039DA3A8CBD636F212BE18E29DB315856F2281E85399D4032095D182FF82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099557Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.630{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9321A294B90A97562F39FB3EA1530714,SHA256=E8F1211B307B983A7C08D3767396E7A6435290292B19A6EF5718D1FFFF17BB08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099556Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.296{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D5A4F83E14174CDDA2681E6388C6E6,SHA256=58614DC298241E7C578BB6B5B0D49DDFA7676CD842E847755BBE70782C76701C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099555Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B8-602C-C7CC-00000000A301}4316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099554Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C6CC-00000000A301}5780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099553Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-06B7-602C-C5CC-00000000A301}7764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099552Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-04C8-00000000A301}7840C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099551Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E192-602B-03C8-00000000A301}5308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099550Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-E191-602B-02C8-00000000A301}6424C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099549Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-C2B5-6026-032E-00000000A301}7940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099548Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099547Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099546Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099545Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D62B-00000000A301}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099544Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F6-6026-D52B-00000000A301}4252C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099543Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099542Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D32B-00000000A301}4904C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099541Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099540Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099539Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-B03D-6026-B92B-00000000A301}4108C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099538Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2A02-00000000A301}3876C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099537Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743E-6025-2702-00000000A301}864C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099536Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743C-6025-1F02-00000000A301}4820C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099535Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1C02-00000000A301}1288C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099534Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-743B-6025-1B02-00000000A301}2316C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099533Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7399-6025-0502-00000000A301}2748C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099532Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-738D-6025-0202-00000000A301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099531Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099530Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CF01-00000000A301}3928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099529Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099528Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5300-00000000A301}3660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099527Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7321-6025-5000-00000000A301}3712C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099526Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2E00-00000000A301}3184C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099525Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2C00-00000000A301}2772C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099524Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2B00-00000000A301}2204C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099523Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2A00-00000000A301}2064C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099522Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099521Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099520Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2600-00000000A301}3036C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099519Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0300B2DFF1A9FA79434C6CDB6CF0A44E,SHA256=C43D9DEE34CEFA535667B3686BE40327A9EBC6A9245B29294AD5B8D70B41E5FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099518Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2500-00000000A301}2908C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099517Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099516Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2300-00000000A301}2892C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099515Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2200-00000000A301}2884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099514Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-731C-6025-2100-00000000A301}2808C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099513Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7316-6025-1F00-00000000A301}2660C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099512Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730D-6025-1D00-00000000A301}2304C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099511Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1700-00000000A301}1652C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099510Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099509Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099508Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099507Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1300-00000000A301}1276C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099506Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099505Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1100-00000000A301}1168C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099504Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-1000-00000000A301}1172C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099503Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0F00-00000000A301}1120C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099502Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0E00-00000000A301}1088C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099501Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0D00-00000000A301}988C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099500Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730C-6025-0C00-00000000A301}608C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099499Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099498Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0A00-00000000A301}848C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099497Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0900-00000000A301}804C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a07aa|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099496Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0800-00000000A301}720C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099495Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-730A-6025-0700-00000000A301}712C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099494Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7309-6025-0500-00000000A301}640C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099493Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0200-00000000A301}448C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099492Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.218{6A74A0F8-E435-602B-61C8-00000000A301}79485272C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe{6A74A0F8-7308-6025-0100-00000000A301}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a56b4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+a0806|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+7c258|C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099491Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:19.171{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=42966F731EADDCDC945CE1B2DB138BC6,SHA256=09ED7B159AC46D0D88D8CB37D1DE22C42C7EDF8FD616A7DEEC26D32866BA634A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099579Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.656{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=43A850523E1941DDBD8E6E2A24A64C72,SHA256=72F5ECF71E9A63752996CC85848647ECEDA820730BB48CBC94F09B76A5759E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099578Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.296{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CFEAD56B578090AE78318BEF15E2E0,SHA256=2099696CC40D89895DDCA10DF5695785C4178643EDB012C75E305E376393709E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099577Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.296{6A74A0F8-0708-602C-D6CC-00000000A301}46287116C:\Windows\system32\wbem\wmiprvse.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\combase.dll+a8a02|C:\Windows\System32\combase.dll+a972e|C:\Windows\System32\combase.dll+a953f|C:\Windows\System32\combase.dll+45458|C:\Windows\System32\combase.dll+45070|C:\Windows\System32\combase.dll+520a7|C:\Windows\System32\combase.dll+c2274|C:\Windows\System32\combase.dll+4f0e1|C:\Windows\System32\combase.dll+508c0|C:\Windows\System32\combase.dll+21ba|C:\Windows\System32\RPCRT4.dll+d97da|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x80000000000000002099576Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.171{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3C9CBA639D97A9259EFEE6388DEDC3A1,SHA256=42F61869DF6BEE0DF0C5017B6ECB41423EC225D0DEF01E42C8B72DE76CBC3F49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099575Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.156{6A74A0F8-730C-6025-1600-00000000A301}15321684C:\Windows\system32\svchost.exe{6A74A0F8-0708-602C-D6CC-00000000A301}4628C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1016a|C:\Windows\system32\wbem\wbemcore.dll+2d15f|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099574Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.156{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-0708-602C-D6CC-00000000A301}4628C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099573Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.137{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-0708-602C-D6CC-00000000A301}4628C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099572Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.137{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-0708-602C-D6CC-00000000A301}4628C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099571Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.109{6A74A0F8-7308-6025-0100-00000000A301}4NT AUTHORITY\SYSTEMSystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTPROCEXP TRACE.etlMD5=AC3B5A19643EE5816A1DF17F2FADAAE3,SHA256=834A709BA2534EBE3EE1397FD4F7BD288B2ACC1D20A08D6C862DCD99B6F04400,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 10341000x80000000000000002099570Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.062{6A74A0F8-E191-602B-02C8-00000000A301}64247828C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099569Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.062{6A74A0F8-E191-602B-02C8-00000000A301}64247828C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099568Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.062{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099567Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.062{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099566Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.062{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099565Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.062{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099564Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.062{6A74A0F8-E191-602B-02C8-00000000A301}64247828C:\Windows\explorer.exe{6A74A0F8-E435-602B-61C8-00000000A301}7948C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099563Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.062{6A74A0F8-E191-602B-02C8-00000000A301}64247828C:\Windows\explorer.exe{6A74A0F8-E435-602B-61C8-00000000A301}7948C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099562Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.062{6A74A0F8-E191-602B-02C8-00000000A301}64247828C:\Windows\explorer.exe{6A74A0F8-E435-602B-61C8-00000000A301}7948C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099561Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.046{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-E435-602B-61C8-00000000A301}7948C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099560Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.046{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-E435-602B-61C8-00000000A301}7948C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099559Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.046{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-E435-602B-61C8-00000000A301}7948C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099558Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:20.046{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-E435-602B-61C8-00000000A301}7948C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099593Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.749{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F230CC9AEB77C41ECEED77D07910658B,SHA256=9A02474ACB5A7BE988859F10E7AF762DB7CCD76A69D6DB2EE75A19CCF30AE4AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099592Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.332{6A74A0F8-B0F3-6026-D02B-00000000A301}46165368C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ca70|C:\Program Files\Mozilla Firefox\firefox.exe+2c5c3|C:\Program Files\Mozilla Firefox\firefox.exe+40920|C:\Program Files\Mozilla Firefox\firefox.exe+4061c|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099591Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.332{6A74A0F8-B0F3-6026-D02B-00000000A301}46165368C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ca70|C:\Program Files\Mozilla Firefox\firefox.exe+2c5c3|C:\Program Files\Mozilla Firefox\firefox.exe+40920|C:\Program Files\Mozilla Firefox\firefox.exe+4061c|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099590Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.312{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C374318A23AD5810B1BF8284BE4B4A86,SHA256=013FD667B53CA1C60F8292314FB3B37A96A78142C56E9C21107A8F0CBDDF01EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099589Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.312{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1090E58ED64EDE359AE4DD52C32E8D96,SHA256=F9B52D0D58B64AA4981F4B3162568A501542E259959B1AD328DD1068809FA8CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099588Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.281{6A74A0F8-B0F3-6026-D02B-00000000A301}46165368C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ca70|C:\Program Files\Mozilla Firefox\firefox.exe+2c5c3|C:\Program Files\Mozilla Firefox\firefox.exe+40920|C:\Program Files\Mozilla Firefox\firefox.exe+4061c|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099587Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.281{6A74A0F8-B0F3-6026-D02B-00000000A301}46165368C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ca70|C:\Program Files\Mozilla Firefox\firefox.exe+2c5c3|C:\Program Files\Mozilla Firefox\firefox.exe+40920|C:\Program Files\Mozilla Firefox\firefox.exe+4061c|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099586Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.237{6A74A0F8-B0F3-6026-D02B-00000000A301}46165368C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ca70|C:\Program Files\Mozilla Firefox\firefox.exe+2c5c3|C:\Program Files\Mozilla Firefox\firefox.exe+40920|C:\Program Files\Mozilla Firefox\firefox.exe+4061c|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099585Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.237{6A74A0F8-B0F3-6026-D02B-00000000A301}46165368C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ca70|C:\Program Files\Mozilla Firefox\firefox.exe+2c5c3|C:\Program Files\Mozilla Firefox\firefox.exe+40920|C:\Program Files\Mozilla Firefox\firefox.exe+4061c|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099584Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.237{6A74A0F8-B0F3-6026-D02B-00000000A301}46165368C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ca70|C:\Program Files\Mozilla Firefox\firefox.exe+2c5c3|C:\Program Files\Mozilla Firefox\firefox.exe+40920|C:\Program Files\Mozilla Firefox\firefox.exe+4061c|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099583Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.237{6A74A0F8-B0F3-6026-D02B-00000000A301}46165368C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ca70|C:\Program Files\Mozilla Firefox\firefox.exe+2c5c3|C:\Program Files\Mozilla Firefox\firefox.exe+40920|C:\Program Files\Mozilla Firefox\firefox.exe+4061c|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099582Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.237{6A74A0F8-B0F3-6026-D02B-00000000A301}46165368C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ca70|C:\Program Files\Mozilla Firefox\firefox.exe+2c5c3|C:\Program Files\Mozilla Firefox\firefox.exe+40920|C:\Program Files\Mozilla Firefox\firefox.exe+4061c|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099581Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.237{6A74A0F8-B0F3-6026-D02B-00000000A301}46165368C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ca70|C:\Program Files\Mozilla Firefox\firefox.exe+2c5c3|C:\Program Files\Mozilla Firefox\firefox.exe+40920|C:\Program Files\Mozilla Firefox\firefox.exe+4061c|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099580Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:21.237{6A74A0F8-B0F3-6026-D02B-00000000A301}46165368C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ca70|C:\Program Files\Mozilla Firefox\firefox.exe+2c5c3|C:\Program Files\Mozilla Firefox\firefox.exe+40920|C:\Program Files\Mozilla Firefox\firefox.exe+4061c|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099618Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.765{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=07D7CFAE12C9B22FB8049E0F2A00B5DD,SHA256=10CC28BB9DDD713A6DCC59245751A0910A02CC4AF63104C0B0686EA3D87078C8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002099617Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localInvDB-VerSetValue2021-02-16 17:55:22.406{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe\REGISTRY\A\{fd8e9d7f-c8da-904b-f0ac-0af853e8487b}\Root\InventoryApplicationFile\procexp64.exe|72ad4baa7c746a63\BinProductVersion16.32.0.0 13241300x80000000000000002099616Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localInvDB-CompileTimeClaimSetValue2021-02-16 17:55:22.406{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe\REGISTRY\A\{fd8e9d7f-c8da-904b-f0ac-0af853e8487b}\Root\InventoryApplicationFile\procexp64.exe|72ad4baa7c746a63\LinkDate09/11/2020 22:00:01 13241300x80000000000000002099615Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localInvDB-PubSetValue2021-02-16 17:55:22.406{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe\REGISTRY\A\{fd8e9d7f-c8da-904b-f0ac-0af853e8487b}\Root\InventoryApplicationFile\procexp64.exe|72ad4baa7c746a63\Publishersysinternals - www.sysinternals.com 13241300x80000000000000002099614Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localInvDB-PathSetValue2021-02-16 17:55:22.406{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exe\REGISTRY\A\{fd8e9d7f-c8da-904b-f0ac-0af853e8487b}\Root\InventoryApplicationFile\procexp64.exe|72ad4baa7c746a63\LowerCaseLongPathc:\programdata\chocolatey\lib\sysinternals\tools\procexp64.exe 13241300x80000000000000002099613Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localInvDBSetValue2021-02-16 17:55:22.390{6A74A0F8-730C-6025-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKU\S-1-5-21-3629283219-3078244836-3188048466-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp64.exeBinary Data 23542300x80000000000000002099612Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.359{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8AF21C7C55C4EE562F3E7E93A026B902,SHA256=E7EBF26FD1E734C612923928B0E73DF113B2CDF28B3E8F82486550D8D96724B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099611Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.359{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+456a91|C:\Program Files\Mozilla Firefox\xul.dll+499419|C:\Program Files\Mozilla Firefox\xul.dll+4993b9|C:\Program Files\Mozilla Firefox\xul.dll+f68556|C:\Program Files\Mozilla Firefox\xul.dll+499264|C:\Program Files\Mozilla Firefox\xul.dll+141c9a1|C:\Program Files\Mozilla Firefox\xul.dll+141dc32|C:\Program Files\Mozilla Firefox\xul.dll+13fedd3|C:\Program Files\Mozilla Firefox\xul.dll+151a05d|C:\Program Files\Mozilla Firefox\xul.dll+1519e67|C:\Program Files\Mozilla Firefox\xul.dll+15183c0|C:\Program Files\Mozilla Firefox\xul.dll+1513c37|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1511e94|C:\Program Files\Mozilla Firefox\xul.dll+1512393|C:\Program Files\Mozilla Firefox\xul.dll+48d792|C:\Program Files\Mozilla Firefox\xul.dll+46f2d6|C:\Program Files\Mozilla Firefox\xul.dll+2e3af5|C:\Program Files\Mozilla Firefox\xul.dll+2a070e1 10341000x80000000000000002099610Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.359{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+140119f|C:\Program Files\Mozilla Firefox\xul.dll+13ff31d|C:\Program Files\Mozilla Firefox\xul.dll+1519f32|C:\Program Files\Mozilla Firefox\xul.dll+1519e67|C:\Program Files\Mozilla Firefox\xul.dll+15183c0|C:\Program Files\Mozilla Firefox\xul.dll+1513c37|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1511e94|C:\Program Files\Mozilla Firefox\xul.dll+1512393|C:\Program Files\Mozilla Firefox\xul.dll+48d792|C:\Program Files\Mozilla Firefox\xul.dll+46f2d6|C:\Program Files\Mozilla Firefox\xul.dll+2e3af5|C:\Program Files\Mozilla Firefox\xul.dll+2a070e1|C:\Program Files\Mozilla Firefox\xul.dll+2a0633e|C:\Program Files\Mozilla Firefox\xul.dll+2e2891|C:\Program Files\Mozilla Firefox\xul.dll+2bcbdbd|C:\Program Files\Mozilla Firefox\xul.dll+2bd0a70|C:\Program Files\Mozilla Firefox\xul.dll+2bd08d1|C:\Program Files\Mozilla Firefox\xul.dll+2bd0494 10341000x80000000000000002099609Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.359{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+456a91|C:\Program Files\Mozilla Firefox\xul.dll+499419|C:\Program Files\Mozilla Firefox\xul.dll+4993b9|C:\Program Files\Mozilla Firefox\xul.dll+f68556|C:\Program Files\Mozilla Firefox\xul.dll+499264|C:\Program Files\Mozilla Firefox\xul.dll+141c9a1|C:\Program Files\Mozilla Firefox\xul.dll+141c759|C:\Program Files\Mozilla Firefox\xul.dll+13fff94|C:\Program Files\Mozilla Firefox\xul.dll+13ffda8|C:\Program Files\Mozilla Firefox\xul.dll+13ffc44|C:\Program Files\Mozilla Firefox\xul.dll+1519f13|C:\Program Files\Mozilla Firefox\xul.dll+1519e67|C:\Program Files\Mozilla Firefox\xul.dll+15183c0|C:\Program Files\Mozilla Firefox\xul.dll+1513c37|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1511e94|C:\Program Files\Mozilla Firefox\xul.dll+1512393|C:\Program Files\Mozilla Firefox\xul.dll+48d792|C:\Program Files\Mozilla Firefox\xul.dll+46f2d6 10341000x80000000000000002099608Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.359{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+456a91|C:\Program Files\Mozilla Firefox\xul.dll+499419|C:\Program Files\Mozilla Firefox\xul.dll+4993b9|C:\Program Files\Mozilla Firefox\xul.dll+f68556|C:\Program Files\Mozilla Firefox\xul.dll+499264|C:\Program Files\Mozilla Firefox\xul.dll+141c9a1|C:\Program Files\Mozilla Firefox\xul.dll+141dc32|C:\Program Files\Mozilla Firefox\xul.dll+13fedd3|C:\Program Files\Mozilla Firefox\xul.dll+151a05d|C:\Program Files\Mozilla Firefox\xul.dll+1519e67|C:\Program Files\Mozilla Firefox\xul.dll+15183c0|C:\Program Files\Mozilla Firefox\xul.dll+1513c37|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1511e94|C:\Program Files\Mozilla Firefox\xul.dll+1512393|C:\Program Files\Mozilla Firefox\xul.dll+48d792|C:\Program Files\Mozilla Firefox\xul.dll+46f2d6|C:\Program Files\Mozilla Firefox\xul.dll+2e3af5|C:\Program Files\Mozilla Firefox\xul.dll+2a070e1 10341000x80000000000000002099607Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.359{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+140119f|C:\Program Files\Mozilla Firefox\xul.dll+13ff31d|C:\Program Files\Mozilla Firefox\xul.dll+1519f32|C:\Program Files\Mozilla Firefox\xul.dll+1519e67|C:\Program Files\Mozilla Firefox\xul.dll+15183c0|C:\Program Files\Mozilla Firefox\xul.dll+1513c37|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1511e94|C:\Program Files\Mozilla Firefox\xul.dll+1512393|C:\Program Files\Mozilla Firefox\xul.dll+48d792|C:\Program Files\Mozilla Firefox\xul.dll+46f2d6|C:\Program Files\Mozilla Firefox\xul.dll+2e3af5|C:\Program Files\Mozilla Firefox\xul.dll+2a070e1|C:\Program Files\Mozilla Firefox\xul.dll+2a0633e|C:\Program Files\Mozilla Firefox\xul.dll+2e2891|C:\Program Files\Mozilla Firefox\xul.dll+2bcbdbd|C:\Program Files\Mozilla Firefox\xul.dll+2bd0a70|C:\Program Files\Mozilla Firefox\xul.dll+2bd08d1|C:\Program Files\Mozilla Firefox\xul.dll+2bd0494 10341000x80000000000000002099606Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.359{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+456a91|C:\Program Files\Mozilla Firefox\xul.dll+499419|C:\Program Files\Mozilla Firefox\xul.dll+4993b9|C:\Program Files\Mozilla Firefox\xul.dll+f68556|C:\Program Files\Mozilla Firefox\xul.dll+499264|C:\Program Files\Mozilla Firefox\xul.dll+141c9a1|C:\Program Files\Mozilla Firefox\xul.dll+141c759|C:\Program Files\Mozilla Firefox\xul.dll+13fff94|C:\Program Files\Mozilla Firefox\xul.dll+13ffda8|C:\Program Files\Mozilla Firefox\xul.dll+13ffc44|C:\Program Files\Mozilla Firefox\xul.dll+1519f13|C:\Program Files\Mozilla Firefox\xul.dll+1519e67|C:\Program Files\Mozilla Firefox\xul.dll+15183c0|C:\Program Files\Mozilla Firefox\xul.dll+1513c37|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1511e94|C:\Program Files\Mozilla Firefox\xul.dll+1512393|C:\Program Files\Mozilla Firefox\xul.dll+48d792|C:\Program Files\Mozilla Firefox\xul.dll+46f2d6 10341000x80000000000000002099605Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.359{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+456a91|C:\Program Files\Mozilla Firefox\xul.dll+499419|C:\Program Files\Mozilla Firefox\xul.dll+4993b9|C:\Program Files\Mozilla Firefox\xul.dll+f68556|C:\Program Files\Mozilla Firefox\xul.dll+499264|C:\Program Files\Mozilla Firefox\xul.dll+141c9a1|C:\Program Files\Mozilla Firefox\xul.dll+141c759|C:\Program Files\Mozilla Firefox\xul.dll+13fff94|C:\Program Files\Mozilla Firefox\xul.dll+13ffda8|C:\Program Files\Mozilla Firefox\xul.dll+13ffc44|C:\Program Files\Mozilla Firefox\xul.dll+2e54aca|C:\Program Files\Mozilla Firefox\xul.dll+2e5c528|C:\Program Files\Mozilla Firefox\xul.dll+2e5eb57|C:\Program Files\Mozilla Firefox\xul.dll+48d43d|C:\Program Files\Mozilla Firefox\xul.dll+46f2d6|C:\Program Files\Mozilla Firefox\xul.dll+2e3af5|C:\Program Files\Mozilla Firefox\xul.dll+2a070e1|C:\Program Files\Mozilla Firefox\xul.dll+2a0633e|C:\Program Files\Mozilla Firefox\xul.dll+2e2891|C:\Program Files\Mozilla Firefox\xul.dll+2bcbdbd|C:\Program Files\Mozilla Firefox\xul.dll+2bd0a70 10341000x80000000000000002099604Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.359{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+456a91|C:\Program Files\Mozilla Firefox\xul.dll+499419|C:\Program Files\Mozilla Firefox\xul.dll+4993b9|C:\Program Files\Mozilla Firefox\xul.dll+f68556|C:\Program Files\Mozilla Firefox\xul.dll+499264|C:\Program Files\Mozilla Firefox\xul.dll+141c9a1|C:\Program Files\Mozilla Firefox\xul.dll+141c759|C:\Program Files\Mozilla Firefox\xul.dll+13fff94|C:\Program Files\Mozilla Firefox\xul.dll+13ffda8|C:\Program Files\Mozilla Firefox\xul.dll+13ffc44|C:\Program Files\Mozilla Firefox\xul.dll+2e54aca|C:\Program Files\Mozilla Firefox\xul.dll+2e5c528|C:\Program Files\Mozilla Firefox\xul.dll+2e5eb57|C:\Program Files\Mozilla Firefox\xul.dll+48d43d|C:\Program Files\Mozilla Firefox\xul.dll+46f2d6|C:\Program Files\Mozilla Firefox\xul.dll+2e3af5|C:\Program Files\Mozilla Firefox\xul.dll+2a070e1|C:\Program Files\Mozilla Firefox\xul.dll+2a0633e|C:\Program Files\Mozilla Firefox\xul.dll+2e2891|C:\Program Files\Mozilla Firefox\xul.dll+2bcbdbd|C:\Program Files\Mozilla Firefox\xul.dll+2bd0a70 10341000x80000000000000002099603Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.337{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+140119f|C:\Program Files\Mozilla Firefox\xul.dll+13ff31d|C:\Program Files\Mozilla Firefox\xul.dll+1519f32|C:\Program Files\Mozilla Firefox\xul.dll+1519e67|C:\Program Files\Mozilla Firefox\xul.dll+15183c0|C:\Program Files\Mozilla Firefox\xul.dll+1513c37|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1511e94|C:\Program Files\Mozilla Firefox\xul.dll+1512393|C:\Program Files\Mozilla Firefox\xul.dll+48d792|C:\Program Files\Mozilla Firefox\xul.dll+46f2d6|C:\Program Files\Mozilla Firefox\xul.dll+2e3af5|C:\Program Files\Mozilla Firefox\xul.dll+2a070e1|C:\Program Files\Mozilla Firefox\xul.dll+2a0633e|C:\Program Files\Mozilla Firefox\xul.dll+2e2891|C:\Program Files\Mozilla Firefox\xul.dll+2a0562b|C:\Program Files\Mozilla Firefox\xul.dll+2a055a9|C:\Program Files\Mozilla Firefox\xul.dll+2ad5743|C:\Program Files\Mozilla Firefox\xul.dll+2ad2d70|C:\Program Files\Mozilla Firefox\xul.dll+2ad13f4|C:\Program Files\Mozilla Firefox\xul.dll+2ac8cf4 10341000x80000000000000002099602Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.337{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+456a91|C:\Program Files\Mozilla Firefox\xul.dll+499419|C:\Program Files\Mozilla Firefox\xul.dll+4993b9|C:\Program Files\Mozilla Firefox\xul.dll+f68556|C:\Program Files\Mozilla Firefox\xul.dll+499264|C:\Program Files\Mozilla Firefox\xul.dll+141c9a1|C:\Program Files\Mozilla Firefox\xul.dll+141c759|C:\Program Files\Mozilla Firefox\xul.dll+13fff94|C:\Program Files\Mozilla Firefox\xul.dll+13ffda8|C:\Program Files\Mozilla Firefox\xul.dll+13ffc44|C:\Program Files\Mozilla Firefox\xul.dll+1519f13|C:\Program Files\Mozilla Firefox\xul.dll+1519e67|C:\Program Files\Mozilla Firefox\xul.dll+15183c0|C:\Program Files\Mozilla Firefox\xul.dll+1513c37|C:\Program Files\Mozilla Firefox\xul.dll+1523558|C:\Program Files\Mozilla Firefox\xul.dll+1511e94|C:\Program Files\Mozilla Firefox\xul.dll+1512393|C:\Program Files\Mozilla Firefox\xul.dll+48d792|C:\Program Files\Mozilla Firefox\xul.dll+46f2d6|C:\Program Files\Mozilla Firefox\xul.dll+2e3af5|C:\Program Files\Mozilla Firefox\xul.dll+2a070e1 10341000x80000000000000002099601Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.337{6A74A0F8-E191-602B-02C8-00000000A301}64247828C:\Windows\explorer.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099600Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.334{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+2a73e88|C:\Program Files\Mozilla Firefox\xul.dll+16086ce|C:\Program Files\Mozilla Firefox\xul.dll+2a0e87e|C:\Program Files\Mozilla Firefox\xul.dll+2a0d61a|C:\Program Files\Mozilla Firefox\xul.dll+2aceb97|C:\Program Files\Mozilla Firefox\xul.dll+2bfc6b5|C:\Program Files\Mozilla Firefox\xul.dll+2bfb791|C:\Program Files\Mozilla Firefox\xul.dll+2bfe3c8|C:\Program Files\Mozilla Firefox\xul.dll+2bd579|C:\Program Files\Mozilla Firefox\xul.dll+2beff5|C:\Program Files\Mozilla Firefox\xul.dll+1791d75|C:\Program Files\Mozilla Firefox\xul.dll+4f488a|C:\Program Files\Mozilla Firefox\xul.dll+1e7bc75|C:\Program Files\Mozilla Firefox\xul.dll+23c25f|C:\Program Files\Mozilla Firefox\xul.dll+39e1315|C:\Program Files\Mozilla Firefox\xul.dll+106e19|C:\Program Files\Mozilla Firefox\xul.dll+39c0a62|C:\Program Files\Mozilla Firefox\xul.dll+39e176e|C:\Program Files\Mozilla Firefox\xul.dll+16f834|UNKNOWN(0000030DAEE43B0F) 10341000x80000000000000002099599Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.334{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+2a73e61|C:\Program Files\Mozilla Firefox\xul.dll+16086ce|C:\Program Files\Mozilla Firefox\xul.dll+2a0e87e|C:\Program Files\Mozilla Firefox\xul.dll+2a0d61a|C:\Program Files\Mozilla Firefox\xul.dll+2aceb97|C:\Program Files\Mozilla Firefox\xul.dll+2bfc6b5|C:\Program Files\Mozilla Firefox\xul.dll+2bfb791|C:\Program Files\Mozilla Firefox\xul.dll+2bfe3c8|C:\Program Files\Mozilla Firefox\xul.dll+2bd579|C:\Program Files\Mozilla Firefox\xul.dll+2beff5|C:\Program Files\Mozilla Firefox\xul.dll+1791d75|C:\Program Files\Mozilla Firefox\xul.dll+4f488a|C:\Program Files\Mozilla Firefox\xul.dll+1e7bc75|C:\Program Files\Mozilla Firefox\xul.dll+23c25f|C:\Program Files\Mozilla Firefox\xul.dll+39e1315|C:\Program Files\Mozilla Firefox\xul.dll+106e19|C:\Program Files\Mozilla Firefox\xul.dll+39c0a62|C:\Program Files\Mozilla Firefox\xul.dll+39e176e|C:\Program Files\Mozilla Firefox\xul.dll+16f834|UNKNOWN(0000030DAEE43B0F) 10341000x80000000000000002099598Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.334{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D22B-00000000A301}2592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+2a73e36|C:\Program Files\Mozilla Firefox\xul.dll+16086ce|C:\Program Files\Mozilla Firefox\xul.dll+2a0e87e|C:\Program Files\Mozilla Firefox\xul.dll+2a0d61a|C:\Program Files\Mozilla Firefox\xul.dll+2aceb97|C:\Program Files\Mozilla Firefox\xul.dll+2bfc6b5|C:\Program Files\Mozilla Firefox\xul.dll+2bfb791|C:\Program Files\Mozilla Firefox\xul.dll+2bfe3c8|C:\Program Files\Mozilla Firefox\xul.dll+2bd579|C:\Program Files\Mozilla Firefox\xul.dll+2beff5|C:\Program Files\Mozilla Firefox\xul.dll+1791d75|C:\Program Files\Mozilla Firefox\xul.dll+4f488a|C:\Program Files\Mozilla Firefox\xul.dll+1e7bc75|C:\Program Files\Mozilla Firefox\xul.dll+23c25f|C:\Program Files\Mozilla Firefox\xul.dll+39e1315|C:\Program Files\Mozilla Firefox\xul.dll+106e19|C:\Program Files\Mozilla Firefox\xul.dll+39c0a62|C:\Program Files\Mozilla Firefox\xul.dll+39e176e|C:\Program Files\Mozilla Firefox\xul.dll+16f834|UNKNOWN(0000030DAEE43B0F) 23542300x80000000000000002099597Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.312{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E996A147FD81EE39CC75E3BD71E4AFB5,SHA256=DDC73995376072CE017CAE540009C855210F6DB3F9BA615F4C932D13879B389B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099596Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.281{6A74A0F8-E191-602B-02C8-00000000A301}64247828C:\Windows\explorer.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099595Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.281{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099594Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:22.281{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099629Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:23.968{6A74A0F8-E191-602B-02C8-00000000A301}64247828C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099628Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:23.968{6A74A0F8-E191-602B-02C8-00000000A301}64247828C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099627Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:23.968{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099626Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:23.968{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099625Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:23.968{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099624Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:23.968{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099623Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:23.952{6A74A0F8-E191-602B-02C8-00000000A301}64247828C:\Windows\explorer.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099622Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:23.812{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9E0D961CFE021907C3EA662ECA45300B,SHA256=00ED1479132512A0C4C866F72415ADB4329047871D2E19FC4A35451A7717917D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099621Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:23.499{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82445C6568E7FE59F76668635BD14AE7,SHA256=CC5874D936E253E96D94A6966094BF06B2589A6C920688EBDBE95E10CF776823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099620Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:23.374{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FF54418C29412C511369A0408FBF963D,SHA256=0531252361AD5C6E121983034062227C2227D302F78F67DF82B0E4C34C52A715,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099619Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:26.334{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52507-false10.0.1.12-8000- 23542300x80000000000000002099683Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.843{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4D79B61F9300A76D19CFEAD2F2630EE8,SHA256=F28D404B7F37D9FB9383DC4D56C302CC8A8874B6F4986FD7D072A4CC7D5178BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099682Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.796{6A74A0F8-070C-602C-D7CC-00000000A301}932ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\saved-telemetry-pings\f58784ff-9863-491c-9d4f-c1dea741c7ebMD5=94439BE1CCBD2CC517A17B3B5054136D,SHA256=002FD69C114B2C342EC00276886D0C574E5BAA5CF12949F55741B4E2B057F401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099681Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.687{6A74A0F8-070C-602C-D7CC-00000000A301}932ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\saved-telemetry-pings\16b9410c-1307-46f5-b736-5b53c9d601a7MD5=8DBD73756A0E07981FC47A1608C78CF1,SHA256=A64A8BD6D6E48B0209C27AC987FDE3C11D95C89751067287BE8DE98C835E337C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099680Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.546{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1600-00000000A301}1532C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099679Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.515{6A74A0F8-730A-6025-0B00-00000000A301}8604784C:\Windows\system32\lsass.exe{6A74A0F8-070C-602C-D7CC-00000000A301}932C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099678Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.515{6A74A0F8-730A-6025-0B00-00000000A301}8604784C:\Windows\system32\lsass.exe{6A74A0F8-070C-602C-D7CC-00000000A301}932C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099677Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.515{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8F68CA8475E0A77F74AC223C69B790,SHA256=673A3BD55483F79787266CAA025AD4CCAA2032D02F8AA630A001FDFD0637A5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099676Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.499{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D319517CF6F93C85618259EC776B60,SHA256=4A508B79057924B7BDB178FC0794310748482B99C9370A06E343F58436E30014,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099675Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.468{6A74A0F8-730C-6025-1600-00000000A301}15325952C:\Windows\system32\svchost.exe{6A74A0F8-070C-602C-D8CC-00000000A301}5540C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099674Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.468{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-070C-602C-D8CC-00000000A301}5540C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099673Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.406{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A0DAA81BF7964FEBA904EE70E790D3A3,SHA256=0CC55D963352CAE20E4239BD67700EA18518721C318046D17D0CB3FDC3E6C8DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099672Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.249{6A74A0F8-070C-602C-D8CC-00000000A301}55407912C:\Windows\system32\conhost.exe{6A74A0F8-070C-602C-D7CC-00000000A301}932C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099671Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.249{6A74A0F8-743B-6025-1B02-00000000A301}23163668C:\Windows\system32\csrss.exe{6A74A0F8-070C-602C-D8CC-00000000A301}5540C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099670Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.237{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099669Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.237{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099668Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.237{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099667Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.237{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099666Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.237{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-070C-602C-D7CC-00000000A301}932C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099665Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.237{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-070C-602C-D7CC-00000000A301}932C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+aa643f|C:\Program Files\Mozilla Firefox\xul.dll+aa6255|C:\Program Files\Mozilla Firefox\xul.dll+aa62a1|C:\Program Files\Mozilla Firefox\xul.dll+4cb53a2|C:\Program Files\Mozilla Firefox\xul.dll+11f541d|C:\Program Files\Mozilla Firefox\xul.dll+11f71da|C:\Program Files\Mozilla Firefox\xul.dll+104e26|C:\Program Files\Mozilla Firefox\xul.dll+39d2c30|C:\Program Files\Mozilla Firefox\xul.dll+39e176e|C:\Program Files\Mozilla Firefox\xul.dll+23fc3c|C:\Program Files\Mozilla Firefox\xul.dll+4e3943|C:\Program Files\Mozilla Firefox\xul.dll+45526de|UNKNOWN(0000030DAEE44860) 154100x80000000000000002099664Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.234{6A74A0F8-070C-602C-D7CC-00000000A301}932C:\Program Files\Mozilla Firefox\pingsender.exe85.0.2-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/16b9410c-1307-46f5-b736-5b53c9d601a7/event/Firefox/85.0.2/release/20210208133944?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\saved-telemetry-pings\16b9410c-1307-46f5-b736-5b53c9d601a7 https://incoming.telemetry.mozilla.org/submit/telemetry/f58784ff-9863-491c-9d4f-c1dea741c7eb/first-shutdown/Firefox/85.0.2/release/20210208133944?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\saved-telemetry-pings\f58784ff-9863-491c-9d4f-c1dea741c7ebC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2MediumMD5=C431E2665C545481AC57DC493344535E,SHA256=4E3113A642ADED68989D2242390FF3775BCAB40A6E4EE2D12B5B23D930352B65,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x80000000000000002099663Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.218{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\datareporting\aborted-session-pingMD5=1C9D8FB7D9C9C9A16EBDFB6DE4804974,SHA256=DE82F95900EC278A1E22FC49C82DA220386487F9E0E950787AE8AD1AA0E483DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099662Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.156{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\storage.sqlite-journalMD5=BF51B27508FFF7354D675093DF355BD4,SHA256=16BA802BB7487F2BF93262260DC058B202ABBA905DB6E4F28E1D10082F5BAB91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099661Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.156{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=C3097DFCD6298201CD24E86E5E0D4E80,SHA256=E7E1F51931A2E3E636E26ABF4B704BF5CC3A16267A2286B3087563D6F719C9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099660Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.156{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=74A5FE267434A7329805C157D25905BC,SHA256=3F0C8053C3CA5B4C46F65DB57E7C519462FA2682229F37B2356B83445D18DDB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099659Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.137{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099658Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.137{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\webappsstore.sqlite-walMD5=6CEE0DF4869DF0CD89AC72D63FC0BE64,SHA256=3F92B8CACA0F9E6B82B40C3F089B7E8A97F4070A0094AA6D9475153CD0FA1078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099657Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.137{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\webappsstore.sqlite-shmMD5=1F1495F1E7D2BE2A2F62B43697E2108D,SHA256=BD77F78E511225B74C535C74C3480BB08C7D38AE70163F2ADB1571A58FDC035B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099656Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.137{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\xulstore.jsonMD5=C4A53415413DF9DB3B72ECBD5484AA07,SHA256=6B261BD49534617198338CE75AA6C8FCF7D3E1CC2E5F9B1F7ACB709D04B24BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099655Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.137{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\cookies.sqlite-walMD5=D20DF273700705645A4B56B558342ABE,SHA256=2E4E812F73B56376A207C55DD5FEAE5EE84E61C8C7E8917F46EB46644D9F1B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099654Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.137{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\cookies.sqlite-shmMD5=949F39577E74AB5C6A00A5C96ED0A6D0,SHA256=270D42A869813C1E9F5938C2354865F212DCA7E240FCBEB2F8FDCE3CBEC76C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099653Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.137{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\favicons.sqlite-walMD5=9153A80ABBACFC7E2F73E6913E633C2A,SHA256=FADB377C50F6CF812C4A2E958CCBA9989DF9A131EF6690CDDC4191BB04A8A92B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099652Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.109{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\favicons.sqlite-shmMD5=C801F4B906078CC1D338A5A748A0E7D7,SHA256=9A6D3EF4F31F0B93600898624771CBF6123B2671A9F7FC0F76D55C594DC1AD97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099651Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.109{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\places.sqlite-walMD5=8FEE2EF8E4264E69C0E77B174C3A4BA5,SHA256=FB0CB6073E49C6F63FB0CABA9195F8AD2CA477FDBFD5878126323220D2320BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099650Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.077{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\places.sqlite-shmMD5=AECE59D710534B257F9B7D0060D494D9,SHA256=C50A9E3780A9B8A6C13F96671A128FBE03E0366171AC42D111DDB0EFC602CE2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099649Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.077{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\sessionCheckpoints.jsonMD5=E6C20F53D6714067F2B49D0E9BA8030E,SHA256=50A670FB78FF2712AAE2C16D9499E01C15FDDF24E229330D02A69B0527A38092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099648Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.062{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\sessionCheckpoints.jsonMD5=A0821BC1A142E3B5BCA852E1090C9F2C,SHA256=DB037B650F36FF45DA5DF59BC07B0C5948F9E9B7B148EAD4454AB84CB04FD0E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099647Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.046{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\sessionCheckpoints.jsonMD5=2AD4FE43DC84C6ADBDFD90AABA12703F,SHA256=ECB4133A183CB6C533A1C4DED26B663E2232AF77DB1A379F9BD68840127C7933,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099646Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.046{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11a4a71|C:\Program Files\Mozilla Firefox\xul.dll+2810d4d|C:\Program Files\Mozilla Firefox\xul.dll+280aac9|C:\Program Files\Mozilla Firefox\xul.dll+27f294c|C:\Program Files\Mozilla Firefox\xul.dll+4cb53a2|C:\Program Files\Mozilla Firefox\xul.dll+11f541d|C:\Program Files\Mozilla Firefox\xul.dll+11f71da|C:\Program Files\Mozilla Firefox\xul.dll+104e26|C:\Program Files\Mozilla Firefox\xul.dll+39d2c30|C:\Program Files\Mozilla Firefox\xul.dll+39e176e|C:\Program Files\Mozilla Firefox\xul.dll+23fc3c|C:\Program Files\Mozilla Firefox\xul.dll+23f3bf|C:\Program Files\Mozilla Firefox\xul.dll+3aa0cc5|C:\Program Files\Mozilla Firefox\xul.dll+39d3645|C:\Program Files\Mozilla Firefox\xul.dll+39e176e|C:\Program Files\Mozilla Firefox\xul.dll+198368|UNKNOWN(0000030DAEE42014) 10341000x80000000000000002099645Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.046{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11a4a71|C:\Program Files\Mozilla Firefox\xul.dll+2810d4d|C:\Program Files\Mozilla Firefox\xul.dll+280aac9|C:\Program Files\Mozilla Firefox\xul.dll+27f294c|C:\Program Files\Mozilla Firefox\xul.dll+4cb53a2|C:\Program Files\Mozilla Firefox\xul.dll+11f541d|C:\Program Files\Mozilla Firefox\xul.dll+11f71da|C:\Program Files\Mozilla Firefox\xul.dll+104e26|C:\Program Files\Mozilla Firefox\xul.dll+39d2c30|C:\Program Files\Mozilla Firefox\xul.dll+39e176e|C:\Program Files\Mozilla Firefox\xul.dll+23fc3c|C:\Program Files\Mozilla Firefox\xul.dll+23f3bf|C:\Program Files\Mozilla Firefox\xul.dll+3aa0cc5|C:\Program Files\Mozilla Firefox\xul.dll+39d3645|C:\Program Files\Mozilla Firefox\xul.dll+39e176e|C:\Program Files\Mozilla Firefox\xul.dll+198368|UNKNOWN(0000030DAEE42014) 23542300x80000000000000002099644Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.046{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099643Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.037{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\sessionCheckpoints.jsonMD5=65690C43C42921410EC8043E34F09079,SHA256=7343D5A46E2FCA762305A4F85C45484A49C1607EDE8E8C4BD12BEDD2327EDB8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099642Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.037{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-B0F3-6026-D02B-00000000A301}4616C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099641Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.037{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D32B-00000000A301}4904C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11a4a71|C:\Program Files\Mozilla Firefox\xul.dll+2810d4d|C:\Program Files\Mozilla Firefox\xul.dll+2810817|C:\Program Files\Mozilla Firefox\xul.dll+aa36f6|C:\Program Files\Mozilla Firefox\xul.dll+a998d7|C:\Program Files\Mozilla Firefox\xul.dll+3cc2a|C:\Program Files\Mozilla Firefox\xul.dll+f6678c|C:\Program Files\Mozilla Firefox\xul.dll+f3debf|C:\Program Files\Mozilla Firefox\xul.dll+e8fe|C:\Program Files\Mozilla Firefox\xul.dll+1ca428|C:\Program Files\Mozilla Firefox\xul.dll+1c97ff|C:\Program Files\Mozilla Firefox\xul.dll+387b88a|C:\Program Files\Mozilla Firefox\xul.dll+391e8ae|C:\Program Files\Mozilla Firefox\xul.dll+391fc29|C:\Program Files\Mozilla Firefox\xul.dll+3920033|C:\Program Files\Mozilla Firefox\firefox.exe+1583|C:\Program Files\Mozilla Firefox\firefox.exe+4bff8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099640Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.037{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11a4a71|C:\Program Files\Mozilla Firefox\xul.dll+2810d4d|C:\Program Files\Mozilla Firefox\xul.dll+2810817|C:\Program Files\Mozilla Firefox\xul.dll+aa36f6|C:\Program Files\Mozilla Firefox\xul.dll+a998d7|C:\Program Files\Mozilla Firefox\xul.dll+3cc2a|C:\Program Files\Mozilla Firefox\xul.dll+f6678c|C:\Program Files\Mozilla Firefox\xul.dll+f3debf|C:\Program Files\Mozilla Firefox\xul.dll+e8fe|C:\Program Files\Mozilla Firefox\xul.dll+1ca428|C:\Program Files\Mozilla Firefox\xul.dll+1c97ff|C:\Program Files\Mozilla Firefox\xul.dll+387b88a|C:\Program Files\Mozilla Firefox\xul.dll+391e8ae|C:\Program Files\Mozilla Firefox\xul.dll+391fc29|C:\Program Files\Mozilla Firefox\xul.dll+3920033|C:\Program Files\Mozilla Firefox\firefox.exe+1583|C:\Program Files\Mozilla Firefox\firefox.exe+4bff8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099639Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.037{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\sessionCheckpoints.jsonMD5=99601438AE1349B653FCD00278943F90,SHA256=72D74B596F7FC079D15431B51CE565A6465A40F5897682A94A3F1DD19B07959A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099638Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.015{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+456eee|C:\Program Files\Mozilla Firefox\xul.dll+fe2538|C:\Program Files\Mozilla Firefox\xul.dll+280e052|C:\Program Files\Mozilla Firefox\xul.dll+280e17b|C:\Program Files\Mozilla Firefox\xul.dll+19fdd24|C:\Program Files\Mozilla Firefox\xul.dll+22f518|C:\Program Files\Mozilla Firefox\xul.dll+104e26|C:\Program Files\Mozilla Firefox\xul.dll+39d2c30|C:\Program Files\Mozilla Firefox\xul.dll+39e176e|C:\Program Files\Mozilla Firefox\xul.dll+198368|UNKNOWN(0000030DAEE42014) 10341000x80000000000000002099637Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.015{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+456eee|C:\Program Files\Mozilla Firefox\xul.dll+fe2538|C:\Program Files\Mozilla Firefox\xul.dll+280e052|C:\Program Files\Mozilla Firefox\xul.dll+280e17b|C:\Program Files\Mozilla Firefox\xul.dll+19fdd24|C:\Program Files\Mozilla Firefox\xul.dll+22f518|C:\Program Files\Mozilla Firefox\xul.dll+104e26|C:\Program Files\Mozilla Firefox\xul.dll+39d2c30|C:\Program Files\Mozilla Firefox\xul.dll+39e176e|C:\Program Files\Mozilla Firefox\xul.dll+198368|UNKNOWN(0000030DAEE42014) 10341000x80000000000000002099636Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.015{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+456eee|C:\Program Files\Mozilla Firefox\xul.dll+fe2538|C:\Program Files\Mozilla Firefox\xul.dll+280e052|C:\Program Files\Mozilla Firefox\xul.dll+280e17b|C:\Program Files\Mozilla Firefox\xul.dll+19fdd24|C:\Program Files\Mozilla Firefox\xul.dll+22f518|C:\Program Files\Mozilla Firefox\xul.dll+104e26|C:\Program Files\Mozilla Firefox\xul.dll+39d2c30|C:\Program Files\Mozilla Firefox\xul.dll+39e176e|C:\Program Files\Mozilla Firefox\xul.dll+198368|UNKNOWN(0000030DAEE42014) 10341000x80000000000000002099635Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.015{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+456eee|C:\Program Files\Mozilla Firefox\xul.dll+fe2538|C:\Program Files\Mozilla Firefox\xul.dll+280e052|C:\Program Files\Mozilla Firefox\xul.dll+280e17b|C:\Program Files\Mozilla Firefox\xul.dll+19fdd24|C:\Program Files\Mozilla Firefox\xul.dll+22f518|C:\Program Files\Mozilla Firefox\xul.dll+104e26|C:\Program Files\Mozilla Firefox\xul.dll+39d2c30|C:\Program Files\Mozilla Firefox\xul.dll+39e176e|C:\Program Files\Mozilla Firefox\xul.dll+198368|UNKNOWN(0000030DAEE42014) 10341000x80000000000000002099634Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.015{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B10D-6026-D82B-00000000A301}4472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+456eee|C:\Program Files\Mozilla Firefox\xul.dll+fe2538|C:\Program Files\Mozilla Firefox\xul.dll+280e052|C:\Program Files\Mozilla Firefox\xul.dll+280e17b|C:\Program Files\Mozilla Firefox\xul.dll+19fdd24|C:\Program Files\Mozilla Firefox\xul.dll+22f518|C:\Program Files\Mozilla Firefox\xul.dll+104e26|C:\Program Files\Mozilla Firefox\xul.dll+39d2c30|C:\Program Files\Mozilla Firefox\xul.dll+39e176e|C:\Program Files\Mozilla Firefox\xul.dll+198368|UNKNOWN(0000030DAEE42014) 10341000x80000000000000002099633Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.015{6A74A0F8-B0F3-6026-D02B-00000000A301}46166232C:\Program Files\Mozilla Firefox\firefox.exe{6A74A0F8-B0F5-6026-D42B-00000000A301}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1e1fc1|C:\Program Files\Mozilla Firefox\xul.dll+456eee|C:\Program Files\Mozilla Firefox\xul.dll+fe2538|C:\Program Files\Mozilla Firefox\xul.dll+280e052|C:\Program Files\Mozilla Firefox\xul.dll+280e17b|C:\Program Files\Mozilla Firefox\xul.dll+19fdd24|C:\Program Files\Mozilla Firefox\xul.dll+22f518|C:\Program Files\Mozilla Firefox\xul.dll+104e26|C:\Program Files\Mozilla Firefox\xul.dll+39d2c30|C:\Program Files\Mozilla Firefox\xul.dll+39e176e|C:\Program Files\Mozilla Firefox\xul.dll+198368|UNKNOWN(0000030DAEE42014) 23542300x80000000000000002099632Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.015{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\sessionstore-backups\recovery.jsonlz4MD5=2686308FF4EBF97197A52EF8EBF663AF,SHA256=A597C29DD3CFC1595628FCB4818E15E4F22E9344A967F53E16A4778C08274982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099631Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:24.015{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\sessionstore-backups\recovery.baklz4MD5=C15D415A78FC95B849832390DBA5EFF0,SHA256=A43829DBD98FB9DF2999564B892D00B9C041F853224E11B7454659C1EF41C97A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099630Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:23.999{6A74A0F8-B0F3-6026-D02B-00000000A301}4616ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ohh4ybou.default-release\sessionCheckpoints.jsonMD5=C4AB2EE59CA41B6D6A6EA911F35BDC00,SHA256=00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099686Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:25.859{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=303F983DE194DA2A87E76300AF992B93,SHA256=8F094655D0724ABC4C69BE103387D76390EB868175E3F7D9A8AA59DD90A052D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099685Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:25.531{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A7FA37901AE27DE58DDEB744F36EF3,SHA256=BCA6ACDCD3F3EE18D1F9D3292BC6BE7A96EC2A10961CA45E6149DC3C1527C5BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099684Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:25.421{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7851FA2D7B724EED60CED125E9CF0997,SHA256=0A291D0E9905CB5230BFFA9FDDEFD8BA5C02BB022BD8DC390C96B718E3354DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099691Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:26.905{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=59FFF9CED8633C149C3E1B2E0E637D5B,SHA256=A1629EE285E3C8B55E718C837AF3B045D24B45C3117E44B505DD46E8E3645C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099690Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:26.546{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2464CFD7DF77C601540D9D26DDC1E2,SHA256=108E2ABC99F41D63FD2EC2F27D8CA2BBD675AD7827AA7560BFBA020616C1A30F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099689Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:26.437{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=64F09BC00422F60CF26799D25D4BA6C5,SHA256=1FC7528967770A8EE7D364FF4BEC29FD0D828E5079EA798342E6B81AE863008B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099688Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:29.632{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-444.attackrange.local63786-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x80000000000000002099687Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:29.631{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local51203-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local53domain 354300x80000000000000002099694Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:29.638{00000000-0000-0000-0000-000000000000}932<unknown process>-tcptruefalse10.0.1.14win-dc-444.attackrange.local52508-false54.148.237.155ec2-54-148-237-155.us-west-2.compute.amazonaws.com443https 23542300x80000000000000002099693Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:27.655{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CC715F703083D8AEDEDE0C81F84FA8,SHA256=6AC025F90FC727FFE9F01A2F41B6998A458F446536BFCCCDFC6D3CB94261D114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099692Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:27.562{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B414D482EDC70D570F9A0ECD47A20916,SHA256=5368B968545D142FE87E88E7856EB136526665B45D51AFCBE776D6E389F1BFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099697Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:28.687{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3395A6EEB690E91909D3F6A1134F9F16,SHA256=2F0787DB918BBD987F7E6C409A4F5219BFF9B67F8C2C69B4769E0ED53631063E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099696Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:28.593{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5C8B64880841C15189C77D449E213BF7,SHA256=C642529BD1A26FFAD315C26C0960F814704E3C4B21650E55B58489C00EFD10E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099695Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:28.015{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=58F3FA15C6D3996B56E773CC2FFC3F90,SHA256=3B8572AEF2AD3A3A57673904064ADDB720F79DD18A33B10464BEB37FAE203830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099701Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:29.718{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=63E3720A992EC1BE1A15DA5EAB2CD290,SHA256=7E171A9D30765174BF1A6F9E5C02A16FBFA25F2FF89F55DA753C40760B8D75C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099700Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:29.702{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1988BD83459FBB9C9294EB1F6C6050,SHA256=B4FF7962D9DEBC4C812AE07A855F2F14142A529944B9FCD5AF7169F27BEF8E08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099699Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:32.209{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52509-false10.0.1.12-8000- 23542300x80000000000000002099698Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:29.046{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DD35AF09CFCCD63885C20C0730C7E928,SHA256=63B96FDE5FA27689C1A917AEDEFAB8222E37AB597B13B62EA7BEBDE8B52D6C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099704Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:30.843{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4171B93C99F6329E8DB904E9064DD83A,SHA256=94E91D84BE43755D1AC341386F94F63ADB422E0CC4855EEB2DDB074E27D7C284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099703Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:30.702{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F84E7C3C85FF61EACB608CAD00AFA0,SHA256=8198D20EF1ACCA2819B590BF9B25E6C44A496833A83C6452D3570AD2FE355328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099702Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:30.202{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4810BEAA08BEFCC408A69E193925C748,SHA256=18CAAFABCE9FF30AAEB91D4B4AF5BE01DFDC407C36B8AA1897345880E8E83CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099707Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:31.968{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=76E1F480E07D800BCBC2C5CE4C6EDED7,SHA256=F1E4C97910A84A281E2519F7CD65EA194AF3D774F5B0BD4B76BA77C49098CF38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099706Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:31.765{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB5D3A95D31184DA4DBA6C49EF063FB,SHA256=1D906F8125A94A62697D11F256477E052FAD05D8994308312A6B480A08351191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099705Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:31.280{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F11D72D42B0F111D61E038406D8C4B47,SHA256=B2236D11686BDC4F939A396DAC2ED36E6545F9665AA7B3A2A9C63052D7EC4D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099709Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:32.780{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F120C6D1F4CC3331D4DB50C48E9E4B,SHA256=EB3CEBF29518C05CE920BFE6F25D8009EE7188241B7C82564FA2410AE355F777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099708Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:32.405{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C89CC016801CAD347C46874AAB75830A,SHA256=C2B56CAC3377FE3DE93D49098FB9B79C2F653AFF971FE67200870A011C09038E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099713Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:33.796{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DE9E63C013E344F0ED05E0875C59B4,SHA256=47B38EDD4D10654698ECEB000BC508E5FC13C3788CC026341F78B0B41F35EFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099712Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:33.530{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5272FE2DE7B4EE0CF6FEC19E6FC45998,SHA256=2A33CC286315BF0BA7EB1CFF42C963E6B8B2AB417D05A37E77251CF1C006F85D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099711Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:37.272{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52510-false10.0.1.12-8000- 23542300x80000000000000002099710Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:33.077{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FD8D436DDFF1CAD55D0540BF83A10558,SHA256=DF9E470BE9A015B5E21445FA41F5ABE1478400A7B73067FC0EDBF08AD8998B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099716Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:34.859{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE03D630A97DE5B673A00B2E47B4333,SHA256=F766C940E4E397A61463FE8EFB025AE22C60F1EF847D36E28FEEA7A2ACB1AAA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099715Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:34.562{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0949574BB53584A6708D535C8AE9C442,SHA256=5F7AF69960AF95679C8F763340042EB1036863E834CBB6192765E812B7BF0BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099714Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:34.108{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A3E3CF865DD16322EFF5A01D0A9A93DF,SHA256=C4403E89D7C7DB55BAA5828F901D8D16D33503C9388D481D7E70EA5679A6332D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099719Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:35.952{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D322055617E3A2C056A6F024E098B323,SHA256=9E3566FD21C80624DBFE0C39B3A4C78D952A371DF43ED699CF20297B7941B039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099718Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:35.562{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2959962AAECD28875D9286F6F9CD74B4,SHA256=F72C7221CCA425F4BEA661C525A71F225CF636A9BC423EEF246F058781498DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099717Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:35.140{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=58639DEACDF3ADA5721B5DFE4FC8B7A5,SHA256=AC8E538C1D4229954247F4E4903309BEA1C8121C3A7AEA32493691C6EC2C3048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099723Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:36.671{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9A7B6BB8148426E18B9AB7E22E56D2DC,SHA256=47C03A5D79F890DA7BE68193200D7D4AF2781ECFE161961D38F663ED62471407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099722Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:36.499{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E7401E12140CF5EB1EFDAEE06680401,SHA256=46EFA060FCC3A0B6A66D808B6D2F28B6D903599CD2BC6562C2DC19F5CD97520B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099721Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:36.499{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73BDD3B41258923C751505B680AEA049,SHA256=5819EE708F7B1D385455B4DDAC24D29CBAC6CE59B9D24D34F68C77BE4C50B678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099720Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:36.140{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3C8A0536338453F6A20B86E1F8266D26,SHA256=D2C108282734F1FB9B59B8F078BE20CDFFE9531A9145E3AC659F0B2102CCBCF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099728Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:37.718{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C3F69D121ACAB9200D121D0E99909982,SHA256=85BCBCA488527CB3AB6ED0EB6F40657E09F63CD07A8EDE81F336AB1BB687E81B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099727Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:40.553{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52511-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x80000000000000002099726Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:40.553{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52511-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 23542300x80000000000000002099725Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:37.280{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C5DDEA618F764750DD77BA2EFE285224,SHA256=3C960C915DAEAEE7D9A53EA1767A0C54FA39D64044ED758B323E1A0E35FAA2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099724Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:37.030{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C805248607C601689176265D4703CC9,SHA256=FAFC2988F0C5D8F6CF510F16BDE98DF8ED78728DFB5942CDB5222CDE33AC6FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099731Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:38.780{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E2D3272CA84B624BFC98B4CDF74578C2,SHA256=2201F11988EC19411F589A091042FB79493F647F6459954F6DAEDB078FE4E2D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099730Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:38.296{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6E6DED79B02E45CF01C636CBB5E7FA19,SHA256=B01513C14CF5FEC6A84DB63A03DB51ABD26F7FAA5FBF9341F1A365226B96CBB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099729Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:38.061{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA57FA6DCD2FDF7127DE2D1DF87707F,SHA256=96CE27EAD97FA2F0DF4FF9765D5B67090AB5BE6B9B9CC6DE876CD5887476909E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099735Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:39.874{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=355C51636C8E99EEF6CE24FE18822A01,SHA256=99066556BD7C3A3F8E239BCE8ECE4B382B601B85962D1776504672F593BE6963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099734Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:39.421{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=81A310CAF802536E6D23B0CA6CC75284,SHA256=97D23E4B57B51E4209835081F93D6B248596F514670D47DB1336510AD104089A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099733Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:43.131{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52512-false10.0.1.12-8000- 23542300x80000000000000002099732Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:39.077{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F17DF684FB692CB054217C43F87A4C4,SHA256=684CAF6754B20DB4F7FDA708800685219FEED405E3D21029B71CD35AC803A457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099738Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:40.952{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93D7CCCFC426A5AF6E292F3BABB6C887,SHA256=0EDDF55028DB051F95EFAD78C8B6B482CF17A4AFE7C965E1EB8CF2050BD9C5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099737Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:40.468{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=98CEC835EA592CE0BD272E0EFA3233D3,SHA256=26552C27518C40ACEBFF7F578A9566D0271EC2C0CF894F294F38546B2A9B3AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099736Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:40.093{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63521EB6BA17B8BF675F499E2F578556,SHA256=EB01C9969D93A98C24B5B0DCD76CC3A0E99639E93DC68FD07F79CDAD4ED6956F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099743Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:41.593{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1656AC691FF59582A2FB3D0FFD319880,SHA256=BDC760C06121EA382C2FA9086C0BEBBC16C312C90492B92E1BF94DDAD02D8010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099742Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:41.124{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A64BDA7236B8E1E98A5D34A6C86C3C,SHA256=A6091C4342C4E61227FFEA8A065411300991D658A4B41BE68AF5A2F4A772FE8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099741Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:41.093{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099740Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:41.093{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099739Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:41.093{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-730C-6025-1500-00000000A301}1496C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099746Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:42.717{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3D7A4B01C31DDE763A67CE22A61AB0A4,SHA256=24114EA462FE6C6CD4B9281FECE8EDD06B1E0FC9F79EA1660AB37F3E4627BA6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099745Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:42.124{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855C68BAAB00E7FE3F9BC72528016E34,SHA256=78BCA7E7C8C7EF0D07E578BB5173641F36BC9123CB41CB6B353CB9206A982A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099744Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:42.030{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A40D663E60292CBF16A8D0BA72B829C1,SHA256=CCA64E3A6800127EEF88AAE9C9BF28285A08EBB3972A6E315BA2D5F0FD4F0963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099749Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:43.842{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=875EC60A2FE6B7E5B6508679487F6359,SHA256=85C0094EADA5C5612E191A16166F5DBECAC3F4C8D522C327573BBAB273E2B285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099748Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:43.155{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5DC25C20D76968541235B29AA0DB6AE5,SHA256=3E4904AB5D17B5FA1A7A747BF289798D312236BF4D2596941739A3A76D28379C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099747Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:43.139{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F50362131E57547405E70C059CABD9,SHA256=25CBDAD078414D125E378C210FBACAE452B4D569B96BEA54DC1FB29C8800177E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099753Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:44.983{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=44C5E85A4B29ACA8D6DF7D679408E19B,SHA256=576A57D7828AFD20E7C4ADF68F8FB556569B71F48819C78DD229F3CDD2A9EFE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099752Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:48.209{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52513-false10.0.1.12-8000- 23542300x80000000000000002099751Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:44.327{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=56FA3A19E2E9CB9EAE3215EF7CD776AA,SHA256=0BE06E1DBDFF2C2ECDD1A7485603D21968842F203ADB6C79C9D4AF2EAA3FB675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099750Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:44.139{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE727DFE8DA8FE763C7300A80B0AB13,SHA256=05F99028CBBCDFCC663AED78FF1D0D77E0D09AA9A3FA0BD9601D4ED4C1E26443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099755Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:45.436{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3C622893EB1C2E9DEA9C2801786D12F9,SHA256=1D27DAB6C3B60F904B20983213F895F79E7B8CEBD71BDF898D1D592843926975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099754Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:45.186{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A38EBB9DEE9D3165A4FBFEDE0273FC,SHA256=D6E3A7F27B50B1E35A8920E4C03EEBF5966B2D7E3DAB0F9B614827C38C6F4F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099758Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:46.561{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4B4CC036D0F3C174B7C5466DD04C452B,SHA256=D92A92C83BB66AE1423C5CCB7BB27EFE2447D80DE72E924D23085386210DA9E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099757Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:46.202{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286ADF8F6D6BE6B8BB34F286672668AE,SHA256=32CDEAC0AF1B2CB31D6AA49A9C92D09045C26F7E6F072FDE193FB81E4258AA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099756Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:46.124{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=35A0E5C74DEB0AFBA6EFAF634952CE2A,SHA256=1EB3232833983907F5E92DFA243A9A1F67BA50287CA2FCD7949EEA04F49AAD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099761Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:47.749{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BF208C4C4C6D629236903BFB3716FDFC,SHA256=18D969CC5C984AD179FFCD00DD3A84946E14E7E6ED14857D8A60C847E9A0BC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099760Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:47.233{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8FF3D9F39BD9B98AC4726B4CB43CDE65,SHA256=278D17BC8BBC47AD1AAEA010580A93F4472E6677F68C54A6DE07E2213111BCF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099759Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:47.217{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7021B17283CC5E1D9983A6C777D0C033,SHA256=B90814B4CAF93EA473A3A41CB0A66665285D1AD59EE72DDBFBA824D7FF507773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099764Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:48.811{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3F9C7E13CD43BF84AAF549F81F2E4FEC,SHA256=B30299DA985D036F017667F26D5BD0CA540F315CC5A3C06A7F452A3D5E6E5C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099763Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:48.374{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=351C1DBF913C8B06FDEA02153DB75D60,SHA256=7898D57A70E0485C69D353DAA28D17D752549BA63C61FF630D879B90FBE33AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099762Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:48.233{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3F907EB9DEDA22488C44CE304CB0EC,SHA256=46E49BACCF78E3BD25D8C1D840D57B69C84239C124288C4617F164C2EA7EA742,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099768Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:53.287{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52514-false10.0.1.12-8000- 23542300x80000000000000002099767Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:49.561{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099766Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:49.499{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=451085710DA46CC9FB9BEDBCB5B3A494,SHA256=6C480CED43F3A7CEC4CEC819BD3F957829491FC6E50B1C9A8B001F1544BFC227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099765Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:49.327{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02121D479A649E0FF2B2B328A7561D3,SHA256=54445A0D3CBC871CAA799638C6BD52EEF080CDAAEB24BDDA65B1C8898BB51B82,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099772Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:54.615{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52515-false10.0.1.12-8089- 23542300x80000000000000002099771Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:50.608{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FC606EB1708110CE7CB144945D8267EA,SHA256=655366819AB0504F259037682426D7D2F70D5E34CADBBFC29045A9291D84362B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099770Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:50.389{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E951C9DECA2C57F725F22D178881EE,SHA256=194D360E5FDA17BAE1CF37719B140FF327E18F566EF5CE9E68F5307E5D9A129E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099769Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:50.014{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AF01258EE48222FC428F0ADE939A9C79,SHA256=A254944CB1647EED8C10062002B0A4F479FCC9EF91BD57A5CF781166CFFB829F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099775Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:51.733{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8137FD327CADB28C65ADFEFDE16E1E72,SHA256=29BE146111D54F77226E7C10B3D2847013CC1140F8F9591666CF778775FE7E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099774Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:51.405{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770144CF20032D084829C2558543AF82,SHA256=C775BB4C450D6F670067140E1F7D9703D327198C2B0646EA17032D2A504E4C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099773Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:51.123{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85458F162F3045BF91579A5A5D9A2BBD,SHA256=6FD89829B00318043F73C66E98CC0B3DC17C1EBDB809434287FD54DEA39629C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099778Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:52.873{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2443A6443A9938C26BE99796EA6B6FBA,SHA256=C2F8F5203B0FF71D64F23D0D1862DA7546B8E530D7E8044CC1EE02B0FCFFE2E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099777Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:52.452{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BCC96726C0C520370D47CCFE0FC19B,SHA256=FAED26DC2251615171077A8E47F1C8314DEC2760EF7EE3049DEC96626563DDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099776Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:52.186{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CD2119A332D7BFC72F6FC0AEA024505F,SHA256=7404C68F8DC0DBFEAE93D7E2689F2B0BAC81E23F08DDAA60B1B4045CA47F944A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099781Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:53.998{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7BF029E4EDB3B2691D28F218B01EE729,SHA256=174A9CFD40BC8338AB9EA6EE1F43252A1E6E1069C4EE97ECD9AC4884CFAE2BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099780Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:53.467{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F77C1FF40FAF7ECFA02762E71CB62CD,SHA256=AFC7EB1599EB8351D748EF2D255783CED74B58AD8C427710A97AFBC8DB906AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099779Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:53.342{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9DC4FC79C4498FEEC27951E4850D3F7D,SHA256=467241AD2E4AB20253693C1CAF274D6D65705884E74B968697AEADC857919697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099783Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:54.530{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=91AB8A0FC96885B70F8BD2B7A83565D2,SHA256=1B20F4D802FA41335B9E4FF4EEE4E88833D76D9AD11FB58088A8BA9D51B7404A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099782Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:54.530{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA92769E7769233B6E68982E5A5BE63,SHA256=B5A4E2A8AF67106BCF35AAE95E85661F2ECE6C7F3641AD7DEEC97DBD407F6F28,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099787Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:59.131{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52516-false10.0.1.12-8000- 23542300x80000000000000002099786Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:55.577{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=113F304FA7720FE4F43829559ECF4EE4,SHA256=9FD62CF775DD36A4A6CB21AA9F3333E255B32172A5C3742225123D72D04146DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099785Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:55.577{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF00C18279C1FA37D0656F3EDB0D817,SHA256=46CD14C75BD1C2865CADF64E131BAFB8289D2A9097EA0988DE996C4C8CD905A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099784Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:55.123{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E543C2D35A875A998952FEB024C71E0D,SHA256=B3243B57790822B05BF72E3E2585A6F395417597D9AF0DDEAACCBCDC7BFACCBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099790Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:56.733{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=973D504358F857DFACC6BBB289F4987E,SHA256=97C48494DAA236E86D9879A881B64D28D352D5A03AB1629F6B558CBC8E99CF8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099789Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:56.623{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D3BC9142080C287F7CB9A5504820D9,SHA256=769F965F4F7583BEC75002C7D276A7C065E2913882785BF72CA56DE7DE305323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099788Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:56.233{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4A166512EDD89798AD900890BBF5F3D7,SHA256=0D2E350B93DCC4EACBD6D08F9910123A85B3E8BC5B534D7750724C1BBA87EC4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099804Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:57.795{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=351F1A2039C231BD6D94BB28981AEB20,SHA256=0051DFB6F213FC40D739152BBDE944BC088BB2D8269DD4711B4D8FD43ADB3AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099803Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:57.639{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3EBE0A2C0900B27B7FAC3C8C20A64D4,SHA256=462FD28A87E2C689E7286A21C91ECCA693EA6A959AB8C0EF5136A72FD63D1566,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099802Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:57.545{6A74A0F8-730C-6025-0D00-00000000A301}9882188C:\Windows\system32\svchost.exe{6A74A0F8-743E-6025-2702-00000000A301}864C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099801Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:57.358{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CE659A0D66F3EA8F25702DB711E39B00,SHA256=A18287F3C40A07F743DFEA206D7A3D8954F9A1FFC8DC16BE2558385465C15A44,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002099800Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-16 17:55:57.358{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002099799Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-16 17:55:57.358{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x19b2d47b) 13241300x80000000000000002099798Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-16 17:55:57.358{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70484-0x98599b4e) 13241300x80000000000000002099797Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-16 17:55:57.358{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7048c-0xfa1e034e) 13241300x80000000000000002099796Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-16 17:55:57.358{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70495-0x5be26b4e) 13241300x80000000000000002099795Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-16 17:55:57.358{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002099794Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-16 17:55:57.358{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x19b2d47b) 13241300x80000000000000002099793Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-16 17:55:57.358{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70484-0x98599b4e) 13241300x80000000000000002099792Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-16 17:55:57.358{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7048c-0xfa1e034e) 13241300x80000000000000002099791Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-SetValue2021-02-16 17:55:57.358{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70495-0x5be26b4e) 23542300x80000000000000002099807Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:58.811{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6268D06E606315C904C8098F70427D96,SHA256=BB0BAF39CA147B612D456C53646A93BD80080547B8C3AEF5A29E3438AF5E4F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099806Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:58.701{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8641F7B63EEBAF842131E816501CB863,SHA256=7636DAA74B0906BCBC6403D626E74ED000397FE7DD6415EE3B0714607FDEE379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099805Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:58.358{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DFC9366D7501CE8ED26897DB2CB1EE69,SHA256=268FAF65EA37D32B0A23C92588A4A1E1210159BC665093D5DCF2BB07160884F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099810Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:59.826{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5EEE6C4749BE371D492A2C8DC82A6354,SHA256=1728D679DB7C2DEA989D9159519AF0A454631897ACEE4E746CCDE2739404A04E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099809Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:59.717{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29208774C2430061EFB34B408FDB6BAD,SHA256=F258CABCD4DD7C84C7A06C5CD35C7029D0200E929BD28CF8FEABD9C135AD5918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099808Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:55:59.373{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=73798DE92911A949D3262C81D9A2B879,SHA256=CC84D7861674CF2103EA2A6362BF2C8D64538179DA6EB21CB740883D44EEEDE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099813Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:00.842{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6CA4443EE56BD8D257001776F20DCD9F,SHA256=160176938D32ED4BAB8BC142A31BCFEA987D5FC704CD8E9E29FB14EF3FB4D5DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099812Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:00.748{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B463D994D746229FF44601A5C82BF5,SHA256=87B47BC37418020CE2B3B971C514FD7BC5FE780D0FC8629D1418254B7D6D8572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099811Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:00.389{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=57308F9131765A4108ECB5799CFD3D92,SHA256=6303CDA59812C203E91DCB65FC85A8F055E900B48E8B7EA37F3F59248E41CD8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099817Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:01.873{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A4363C0002D37E8EFD53356A07801DA,SHA256=2EA2488C7575EA50E30AA70C0774987CB2016AC45AE4844CEEF468802C967A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099816Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:01.779{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E2D799647E7B0BDD9F80EA3C49EF43,SHA256=95811D42FF2FCAD55B6A21283D5C596AB640B65740422D1CF5134662E8F6B2AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099815Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:01.404{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4EDD5CD03A4B3566DFD047100FA40C45,SHA256=64143516A815C254BDC151615C34B6E7EFADDB6B749592F586B798CAE74D965C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099814Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:04.193{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52517-false10.0.1.12-8000- 23542300x80000000000000002099820Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:02.967{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D16265841E86B41BBE17E2D7B9E9602D,SHA256=E9F68BB857FF9A197A0DABA2556E0896878BDD5F7B1CF03C6CC5B4648B61E32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099819Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:02.826{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98A0B6B3E5252F7E83417E69BBADE42,SHA256=01F45F3C649C41D6E2AFE69E1336EB7D0A46DDC8309CC4419722310372424AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099818Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:02.529{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E8CA4ACB720A182FE374E72DBF0E1B32,SHA256=AC779E5D19CA7EE201AEEC62876D50A71F1692D8A9EA804D8550149E0D2A08A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099823Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:03.920{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2548012D431CE44C069FB83F955CC2,SHA256=B0996A2A2933867C72B83CE43CFDAD41311E1CAF8DC8F060FC8031D96A6C18DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099822Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:03.639{6A74A0F8-730C-6025-1100-00000000A301}1168NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=063DFC9D3D342877C00D1BABCAC40D95,SHA256=67BFBDC5DF5CBA87B63793D44BAAEE2420F2C6EA5DD12B6A2276DA024C7C27C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099821Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:03.545{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DFE5742E3A0251E2BACF5A8FAA94D652,SHA256=67569DA64DF7C8A5C596EDA148E29CC956861557BE02E3DAC11E0E23303E868D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099826Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:04.920{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36663AFF94AA874AA2F6DB0E2E97AC79,SHA256=9D9A864D642E9BA54BE9F6711A8DDB3CFFB2C04B4F8D223536CABFF401BF241D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099825Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:04.686{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=48E461D3289328E08684DAE6B520631E,SHA256=6F7EA23E14741B1EFD7B79802C701ED7D22D3E426B3E07AD0741DB8FFE099BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099824Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:03.998{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8D04FF94E78CC82C4C17FD0822223898,SHA256=A9DD139A177F012D1566E150D5FE8AC6E2CBACA0E6870C4C02C24F02223C2924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099831Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:05.936{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFF9CF609B5B544B92F2AC50C326884,SHA256=B188E39A17A5110FD30D0584EBA53BFBD30676017F4579CCFD93C571531D75A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099830Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:05.811{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=46F6A0C7C93830B97AB6EB55540FB36F,SHA256=86D80111796EC6267736D3676E6D65829507A1597DA0ED9A01667A390E14E18E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099829Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:08.867{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52518-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local445microsoft-ds 354300x80000000000000002099828Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:08.867{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local52518-truefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local445microsoft-ds 23542300x80000000000000002099827Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:05.186{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C86EC80828A581B814ED41734C8ABCD2,SHA256=C55AD81836C4BD571422DDD74B20A099E454C8CCD6AA516804A7FD7B13C73BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099835Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:06.967{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C6F914DB102B12E502B15A2B2DA20C,SHA256=3CF59B1CB124CB9F5D939CD3B8B1E43F1EDA93D3CB23F22BCE4B956D6D9ED56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099834Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:06.935{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C417536402ACF710B977364219741065,SHA256=791BC993C97011CE8B8A4242C5A9B43D8D6B350CB3E9D55D1B1A9C0F513170E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099833Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:09.290{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52519-false10.0.1.12-8000- 23542300x80000000000000002099832Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:06.248{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BD4BBA465B83E7B405CC7B34C0052165,SHA256=43976283ED6FCA07605723DD88B224D71352106E17D9A430133B42168D7C0488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099836Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:07.389{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=29A8AD40DC903022948EDCB9DB97C3BF,SHA256=BC43A0C6FF6FFD9A91D02261A6EE641A3111850D64675D9F6BE53C2294845D48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099845Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:08.842{6A74A0F8-730C-6025-1600-00000000A301}15325952C:\Windows\system32\svchost.exe{6A74A0F8-0738-602C-D9CC-00000000A301}7044C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099844Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:08.842{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-0738-602C-D9CC-00000000A301}7044C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099843Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:08.826{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-0738-602C-D9CC-00000000A301}7044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099842Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:08.826{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-0738-602C-D9CC-00000000A301}7044C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099841Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:08.826{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-0738-602C-D9CC-00000000A301}7044C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099840Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:08.826{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-0738-602C-D9CC-00000000A301}7044C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099839Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:08.498{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAB2E17C180EAF4390C342A024A0252E,SHA256=B1DB4ACAF2CAF6F9EEC01D82BDA8BEF93210363455500DB895AB2897B8FF1CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099838Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:08.060{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=955D7981E0170203E8E659E0F19B5491,SHA256=D0FA5995D7D670E5B91DF712206E87A714EEBB7119F3FF245736A69037289C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099837Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:08.045{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042616CB1B8C2432C196251B11C34037,SHA256=E21A05F91900174DD88C3DEAA900D331070B384F196AC5F6D138CFF96FF30509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099848Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:09.607{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4A62DC06F7CCE94A9CBF72CBDD482760,SHA256=A6706F91AF084D194BC43893D4BBCB896AA5D3C55525CF1103D05C48991062D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099847Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:09.170{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=248066355E24834DE454C26A3291C6BC,SHA256=9D8437E3A855EDAE7BEB7F58594F1D5914FB5C6726102993C33B7DDC9D196C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099846Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:09.076{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE72BB71A0B70DCC1ED7EB371148541E,SHA256=B8875118AECC7D30449C533914C47CDFE3D6421664E2F203C7D4FF1762133006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099856Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:10.623{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2558E78843BB3F709C2666953B866868,SHA256=6CC3BB8D2ECA6F56C5885D6247882014403143E944CEA5ED1B1C3CE527A828BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099855Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.597{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:7001:0:c8c0:f8fb:7e6:ffff-56208-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000002099854Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.597{6A74A0F8-730C-6025-1400-00000000A301}1328C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:c9cb:2bbb:7842:9bacwin-dc-444.attackrange.local56208-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000002099853Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.597{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-444.attackrange.local137netbios-ns 354300x80000000000000002099852Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.597{6A74A0F8-7308-6025-0100-00000000A301}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-444.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 354300x80000000000000002099851Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.589{6A74A0F8-731C-6025-2800-00000000A301}3052C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local56735- 23542300x80000000000000002099850Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:10.201{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=038516C16A4DFEF6D69CC79A894C86DB,SHA256=3469A2D2AB9029EF2E2B00362FBC66ACE8018046515D27ED6FC02AF39E4F98E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099849Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:10.092{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5AE0FDB30BC354D7CCAE46A70CC5CC0,SHA256=72F3DE8B70258D962FFE0E34C5AF485B22E5CD31A47926F818D09ABFFC83E077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099860Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:11.685{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EFCA17C570E4375D793A3E82B2CB4116,SHA256=975DCE8990D4C08E42A5BADFCB2B5F4E184B678DF396FD7DC434C182891127AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099859Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.193{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52520-false10.0.1.12-8000- 23542300x80000000000000002099858Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:11.279{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=07D6C7F5BC0B083EA6C2BBD98A155248,SHA256=92E81C1D55B7901E0D171A237A024C1A9C56FE1452FEB368601317670CB0AF50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099857Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:11.092{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA11021BFAF1022E735E2D5FF87F882E,SHA256=857EC4E3A1C8ECDBA041B8653E6511D9C27C36D68CE523A897F4654DB2B084AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099871Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:12.763{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-073C-602C-DACC-00000000A301}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099870Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:12.763{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099869Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:12.763{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099868Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:12.763{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099867Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:12.763{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099866Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:12.763{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-073C-602C-DACC-00000000A301}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099865Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:12.763{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-073C-602C-DACC-00000000A301}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002099864Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:12.749{6A74A0F8-073C-602C-DACC-00000000A301}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002099863Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:12.701{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=49D31F878A2CE17ABEAAE3C6E57A9A8A,SHA256=6D61E9D403529010F7DFBB77052560B6DABA2DB730A0144F3CBF0D8F1D6D48EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099862Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:12.263{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C5D7A9A6DDD5265C66675F4903F583C6,SHA256=131EF36A19D3EE7B2672980E526CBFDDE1369A3D5088D565D2F45355B677FAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099861Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:12.107{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FFDA5D317036DDD3244E1CAABA08E3,SHA256=A775F04793B2D6ECE25410BBFEED090AFC6D6D8D143BEC6153D31614A192A0B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099882Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.935{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-073D-602C-DBCC-00000000A301}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099881Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.935{6A74A0F8-730C-6025-0C00-00000000A301}6081676C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099880Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.935{6A74A0F8-730C-6025-0C00-00000000A301}6081676C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099879Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.935{6A74A0F8-730C-6025-0C00-00000000A301}6081676C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099878Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.935{6A74A0F8-730C-6025-0C00-00000000A301}6081676C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099877Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.935{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-073D-602C-DBCC-00000000A301}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099876Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.935{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-073D-602C-DBCC-00000000A301}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002099875Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.921{6A74A0F8-073D-602C-DBCC-00000000A301}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002099874Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.763{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=57A5BC5CBF59BDFC9EFE031C552C3B9B,SHA256=1CAE80FB802848FF9DBD80F000E2703969735D0204D902DE67A89A74C2B3282A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099873Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.295{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9E31D19E0822F30A60A4F7C2D68817F0,SHA256=25A4E38B5A44563E3B6AE922D9825472764604CD84718E65E5093E532D334385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099872Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:13.138{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51982801835C1F9101E833AEFAD4898,SHA256=85A6FD3E168CFDBD09A1DD31950A84E916CE59D721AFA17980E9A64E2733ECCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099894Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:14.888{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D1890CF2B88061B962987EAFE91969D3,SHA256=6F89134C6EF95BB682428BEEF513D079059C2C0CF11A6D79CFF55A759595E569,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099893Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:14.779{6A74A0F8-073E-602C-DCCC-00000000A301}36086748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099892Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:14.623{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-073E-602C-DCCC-00000000A301}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099891Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:14.623{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099890Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:14.623{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099889Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:14.623{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099888Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:14.623{6A74A0F8-7309-6025-0500-00000000A301}640756C:\Windows\system32\csrss.exe{6A74A0F8-073E-602C-DCCC-00000000A301}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099887Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:14.623{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099886Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:14.623{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-073E-602C-DCCC-00000000A301}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002099885Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:14.608{6A74A0F8-073E-602C-DCCC-00000000A301}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002099884Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:14.420{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8FCEFC733D093019522E1E16B59BF42B,SHA256=AB48C0091AD48ECFC03B8757F2000B1711E505A9418A192329A144552252EE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099883Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:14.248{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1846403464E13AEE408716324D295899,SHA256=14689C01AC38E61F49ECB1AAC5D4BEE80650D6C67FE2F9C4D47D4FA866D3D42C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099906Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.966{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7CFD206468AC94AD95D3B38FE73DDD56,SHA256=2323B3F83487CCEC19432B6CDD270A2CD1AEE3C6C04E4140DE2FF9F25F5AA217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099905Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.545{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A54BF8466E1436A57C5123F15C640535,SHA256=91890A8F61BD6DCA3BC199D1B26308FCFD47064F380D548DA1FF8D165D66D845,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099904Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.466{6A74A0F8-073F-602C-DDCC-00000000A301}14002704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099903Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.310{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-073F-602C-DDCC-00000000A301}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099902Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.310{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099901Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.310{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099900Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.310{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099899Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.310{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099898Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.310{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-073F-602C-DDCC-00000000A301}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099897Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.310{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-073F-602C-DDCC-00000000A301}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002099896Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.295{6A74A0F8-073F-602C-DDCC-00000000A301}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002099895Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.263{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0072625FAF3C7594C86B08F6627447D8,SHA256=72F936DCF3CCC4E2230C0F612387B26F9A8FAE0932953BFEC146EAB3A51C4014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099934Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.982{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4364C7D0FD56F87586DA51CCED9CC30E,SHA256=91B760CB2C72E355564B148CA1F6777F0F545BCACE7E58EB43B096D30D39FA77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099933Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.732{6A74A0F8-0740-602C-DFCC-00000000A301}63442824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099932Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.591{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-0740-602C-DFCC-00000000A301}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099931Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.591{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099930Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.591{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099929Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.591{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099928Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.591{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099927Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.591{6A74A0F8-7309-6025-0500-00000000A301}640656C:\Windows\system32\csrss.exe{6A74A0F8-0740-602C-DFCC-00000000A301}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099926Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.591{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-0740-602C-DFCC-00000000A301}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002099925Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.577{6A74A0F8-0740-602C-DFCC-00000000A301}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002099924Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.529{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=646E3D2A9BA1D1B4FDD81C102C23150E,SHA256=21DD23B24C26B650F6B80A6C39B58038D925C905594179760E98788E196FA275,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002099923Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:20.240{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52521-false10.0.1.12-8000- 23542300x80000000000000002099922Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.357{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E65716E309C72B9E566114981A62419,SHA256=E5E65D5A5372060FF8DA91DCEAFB839C252EB4E6BEC4B9E275BF7EBFECB78A46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099921Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.138{6A74A0F8-073F-602C-DECC-00000000A301}79485476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099920Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.123{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099919Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.123{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099918Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.123{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099917Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.123{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099916Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.123{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099915Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:16.123{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099914Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.998{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-073F-602C-DECC-00000000A301}7948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099913Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.998{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099912Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.998{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099911Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.998{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099910Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.998{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099909Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.998{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-073F-602C-DECC-00000000A301}7948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099908Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.998{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-073F-602C-DECC-00000000A301}7948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002099907Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:15.983{6A74A0F8-073F-602C-DECC-00000000A301}7948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002099945Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.982{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FBFEC1E2058FE513F1BD48CCA1D4C1A7,SHA256=50B39ACB2B49132BE34A79B5522723C73C30595FD13CD2E35457B9C5C51919D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099944Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.545{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B9A49311A6B385711BC431F7FC3358C4,SHA256=BF66649C5C70A620862DBB65B4504563CC8B3C4ABCB52D84184B5831D3212BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002099943Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.404{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD06E17FDBC9571747AC49A05D40B7F3,SHA256=754BFA82FE8023AB5C84DB5CB1C6BDDE8B33F832D5F64E017D5A262F80C57DB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099942Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.216{6A74A0F8-7380-6025-CF01-00000000A301}39284836C:\Windows\system32\conhost.exe{6A74A0F8-0741-602C-E0CC-00000000A301}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099941Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.216{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099940Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.216{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099939Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.216{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099938Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.216{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099937Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.216{6A74A0F8-7309-6025-0500-00000000A301}6401184C:\Windows\system32\csrss.exe{6A74A0F8-0741-602C-E0CC-00000000A301}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099936Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.216{6A74A0F8-7380-6025-CB01-00000000A301}51125040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6A74A0F8-0741-602C-E0CC-00000000A301}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002099935Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.202{6A74A0F8-0741-602C-E0CC-00000000A301}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6A74A0F8-730A-6025-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002100002Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.935{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100001Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.935{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100000Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.919{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099999Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.919{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099998Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.919{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099997Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.919{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002099996Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.576{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=79260CFBDD875C6B45823696CDFE76D1,SHA256=267FA7B6D14B767F50A3EE43238B13DCD1E2D747FCBCD4CC70AD452CA4AF81F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099995Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.560{6A74A0F8-0742-602C-E4CC-00000000A301}57885124C:\Windows\system32\conhost.exe{6A74A0F8-0742-602C-E5CC-00000000A301}3840C:\windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099994Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.560{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099993Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.560{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099992Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.560{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099991Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.560{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-0742-602C-E5CC-00000000A301}3840C:\windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099990Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.560{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099989Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.560{6A74A0F8-0742-602C-E3CC-00000000A301}61766812C:\Windows\SysWOW64\cmd.exe{6A74A0F8-0742-602C-E5CC-00000000A301}3840C:\windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\SysWOW64\cmd.exe+ebb2|C:\Windows\SysWOW64\cmd.exe+69f6|C:\Windows\SysWOW64\cmd.exe+68fd|C:\Windows\SysWOW64\cmd.exe+c912|C:\Windows\SysWOW64\cmd.exe+c161|C:\Windows\SysWOW64\cmd.exe+10c43|C:\Windows\SysWOW64\cmd.exe+1499f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 154100x80000000000000002099988Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.565{6A74A0F8-0742-602C-E5CC-00000000A301}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exeC:\windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-0742-602C-E3CC-00000000A301}6176C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c C:\windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe 10341000x80000000000000002099987Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.545{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-0742-602C-E3CC-00000000A301}6176C:\Windows\SysWOW64\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099986Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.545{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-0742-602C-E3CC-00000000A301}6176C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099985Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.545{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-0742-602C-E3CC-00000000A301}6176C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099984Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.545{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-0742-602C-E4CC-00000000A301}5788C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099983Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.545{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-0742-602C-E4CC-00000000A301}5788C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099982Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.545{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0742-602C-E3CC-00000000A301}6176C:\Windows\SysWOW64\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099981Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.545{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0742-602C-E3CC-00000000A301}6176C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099980Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.545{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0742-602C-E3CC-00000000A301}6176C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099979Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.545{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0742-602C-E3CC-00000000A301}6176C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099978Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.545{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0742-602C-E4CC-00000000A301}5788C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099977Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.545{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0742-602C-E4CC-00000000A301}5788C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099976Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.545{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0742-602C-E4CC-00000000A301}5788C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099975Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.545{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0742-602C-E4CC-00000000A301}5788C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099974Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.529{6A74A0F8-730C-6025-1600-00000000A301}15325952C:\Windows\system32\svchost.exe{6A74A0F8-0742-602C-E4CC-00000000A301}5788C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099973Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.529{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-0742-602C-E4CC-00000000A301}5788C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099972Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.466{6A74A0F8-0742-602C-E4CC-00000000A301}57885124C:\Windows\system32\conhost.exe{6A74A0F8-0742-602C-E3CC-00000000A301}6176C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099971Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.451{6A74A0F8-743B-6025-1B02-00000000A301}23163668C:\Windows\system32\csrss.exe{6A74A0F8-0742-602C-E4CC-00000000A301}5788C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099970Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.451{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099969Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.451{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099968Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.451{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099967Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.451{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-0742-602C-E3CC-00000000A301}6176C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099966Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.451{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099965Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.451{6A74A0F8-0742-602C-E2CC-00000000A301}35642328C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe{6A74A0F8-0742-602C-E3CC-00000000A301}6176C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+159c3d(wow64)|C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe+612b|C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe+85be|C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe+97e5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 154100x80000000000000002099964Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.449{6A74A0F8-0742-602C-E3CC-00000000A301}6176C:\Windows\SysWOW64\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c C:\windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7F,IMPHASH=B20DE9D5F257E3C5BDD2834F89FC042A{6A74A0F8-0742-602C-E2CC-00000000A301}3564C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe"C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe" cmd.exe /c C:\windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe 13241300x80000000000000002099963Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localAlert,Sysinternals Tool UsedSetValue2021-02-16 17:56:18.435{6A74A0F8-0742-602C-E2CC-00000000A301}3564C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exeHKU\S-1-5-21-3629283219-3078244836-3188048466-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x80000000000000002099962Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.420{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A4DAB1542E9998E89F1BCCFFC8918C,SHA256=1F098201043EA9C455873AD9CAC576ABE07115EDCB03B52A6D9C643E29A04799,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002099961Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.091{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-0742-602C-E2CC-00000000A301}3564C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099960Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.045{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099959Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.045{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099958Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.045{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099957Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.045{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099956Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.045{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-0742-602C-E2CC-00000000A301}3564C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099955Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.029{6A74A0F8-0741-602C-E1CC-00000000A301}16201128C:\ProgramData\chocolatey\bin\PsExec.exe{6A74A0F8-0742-602C-E2CC-00000000A301}3564C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|UNKNOWN(00007FFD86A71B0C) 154100x80000000000000002099954Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:18.037{6A74A0F8-0742-602C-E2CC-00000000A301}3564C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe2.32Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.c"C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe" cmd.exe /c C:\windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=73CBC2080973A292EA8AE8663D0536AA,SHA256=5E245281F4924C139DD90C581FC79105EA19980BAA68EECCF5BF36AE613399B9,IMPHASH=3A7027A9D54E3A7C74FB919CA7B1C544{6A74A0F8-0741-602C-E1CC-00000000A301}1620C:\ProgramData\chocolatey\bin\PsExec.exe"C:\ProgramData\chocolatey\bin\PsExec.exe" cmd.exe /c C:\windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe 10341000x80000000000000002099953Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.998{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-0741-602C-E1CC-00000000A301}1620C:\ProgramData\chocolatey\bin\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099952Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.998{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099951Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.998{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099950Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.998{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099949Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.998{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099948Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.998{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-0741-602C-E1CC-00000000A301}1620C:\ProgramData\chocolatey\bin\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002099947Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.998{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-0741-602C-E1CC-00000000A301}1620C:\ProgramData\chocolatey\bin\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x80000000000000002099946Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:17.989{6A74A0F8-0741-602C-E1CC-00000000A301}1620C:\ProgramData\chocolatey\bin\PsExec.exe2.32.0.0Execute processes remotely - shimSysinternals PsExecSysinternals - www.sysinternals.comPsExec.exe"C:\ProgramData\chocolatey\bin\PsExec.exe" cmd.exe /c C:\windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=FFD3A44A92F889323F1AC8C00F663213,SHA256=D0AA444A01938C17D83EEF000663EDBDCA17EBFFFC75920C39DBA03407AE45FD,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002100005Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:19.685{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=74605F67602BDF2932D7E4848062F6B6,SHA256=9F896734CC2FE933DD5B0C3244AE076E54887CEC1567F0C92D1CF409E08E91F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100004Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:19.560{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E47DC407D2E911990FE9178E319BA01,SHA256=048A1A8C1E706D365495B52420E2A9E9C08814E8576ED00450BEF31C2CD5212F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100003Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:19.029{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=510C7ACABB85E728BC97E0365FA7ECD6,SHA256=9C0809AE9DC504C978282468F8902CF7462C289E4C51739ED1D28DABC3A439F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100008Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:20.810{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1D91AD4D06DF19F3FDE80E6A0AAF754D,SHA256=77FCDE59ED3544E92251020E26903CBA368BAB85F604A9E79E5080489507FB89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100007Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:20.576{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050FD7CF68A9C35615ED4CD97E4FF014,SHA256=C298124CC8093C2216622E82AFC8EF9D9FC82AE2435490BF445F842326B47F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100006Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:20.154{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EDEDB39D4F9B2D96BE5B687AE6F0B370,SHA256=0BA8C8DDE58D904FF7A0E15F365C8CDE1EEEE04C8107561B4FA2E4B80E45C647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100012Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:21.826{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AA5121EACA242BF8CC2ED338C55DAE28,SHA256=D38D895A0AFC5A19BB0733A25DE823B9B4CBC7BF546D94CF343AC85FC79D59F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002100011Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:25.318{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52522-false10.0.1.12-8000- 23542300x80000000000000002100010Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:21.591{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0086ABCACB8C14C454D3B38007C88514,SHA256=FDF0BEAFF73129BEB329FD8E8326099DC550144B0D74EE91E611E5F30A048048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100009Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:21.263{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2E9B10175174F2CD0C813AD2128BC26C,SHA256=1FD2228A443DC6A73AF1FF29B838492EBBC51BCF16769AE13B6DA097CB903689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100015Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:22.841{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5E03A51B8689D5A1595BB92EAB8C537D,SHA256=D9187518EB79DE5715038B9EF94A4E84A5AF9EA3ADBBBB04B824B377E1A1E32E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100014Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:22.623{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C8BFFE8E3CD4CF8A8B88F090527E79,SHA256=998086B2D169A680516BC9720F409E94302CEC5131C088363A57EA130288905F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100013Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:22.279{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=41803C6E04D9A9740CC95B123781C948,SHA256=00FE0072AC571EC29377A83D4CD239750B74BB6C8B7511137C9A0C1FB63AB949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100074Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.966{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=73B518E425E97D4303F403DC48ACB1B7,SHA256=7A28B8855836DD1A16804D0DF0A47B8CA87C66A8516F231C2C9CFDCD3DC49C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100073Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.654{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94ADC9A931D99BB6CBCC41B7E6EF8433,SHA256=D8D0C08314EDFD26F2154D6B3C808F2624A0CC656EE6D8AB677898C20C803CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100072Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.310{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A5C3FE76CD95BA53ACC1F46ED02FCB4A,SHA256=FC77150E630FAFFD61D36A635F392AC9102E911E5B416C9047D86D07C8E27390,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002100071Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.247{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100070Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.247{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100069Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.232{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100068Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.232{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100067Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.232{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100066Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.232{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002100065Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.232{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CAF64E351F065BDF142C62BE535F37,SHA256=2ABC3FE8490CB52E932C36BDABF2DFB2FC4AD1E5226D92B54AE2ADF0E777EF15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002100064Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.138{6A74A0F8-0747-602C-E9CC-00000000A301}69404508C:\Windows\system32\conhost.exe{6A74A0F8-0747-602C-EACC-00000000A301}880C:\windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100063Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.107{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100062Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.107{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100061Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.107{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100060Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.107{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-0747-602C-EACC-00000000A301}880C:\windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100059Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.107{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100058Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.107{6A74A0F8-0747-602C-E8CC-00000000A301}64526792C:\Windows\SysWOW64\cmd.exe{6A74A0F8-0747-602C-EACC-00000000A301}880C:\windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\SysWOW64\cmd.exe+ebb2|C:\Windows\SysWOW64\cmd.exe+69f6|C:\Windows\SysWOW64\cmd.exe+68fd|C:\Windows\SysWOW64\cmd.exe+c912|C:\Windows\SysWOW64\cmd.exe+c161|C:\Windows\SysWOW64\cmd.exe+10c43|C:\Windows\SysWOW64\cmd.exe+1499f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 154100x80000000000000002100057Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.109{6A74A0F8-0747-602C-EACC-00000000A301}880C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Assembly Registration UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegAsm.exeC:\windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=F9962526636C4082079C16F5CBD18A21,SHA256=193D0E779528278A422C64E94D9D8AC623FCB1323038D33D2B820EAD608EF515,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-0747-602C-E8CC-00000000A301}6452C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c C:\windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 10341000x80000000000000002100056Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.091{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-0747-602C-E8CC-00000000A301}6452C:\Windows\SysWOW64\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100055Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.091{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-0747-602C-E8CC-00000000A301}6452C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100054Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.091{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-0747-602C-E8CC-00000000A301}6452C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100053Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.091{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-0747-602C-E9CC-00000000A301}6940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100052Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.091{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-0747-602C-E9CC-00000000A301}6940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100051Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.091{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0747-602C-E8CC-00000000A301}6452C:\Windows\SysWOW64\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100050Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.091{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0747-602C-E8CC-00000000A301}6452C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100049Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.091{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0747-602C-E8CC-00000000A301}6452C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100048Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.091{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0747-602C-E8CC-00000000A301}6452C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100047Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.091{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0747-602C-E9CC-00000000A301}6940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100046Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.091{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0747-602C-E9CC-00000000A301}6940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100045Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.091{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0747-602C-E9CC-00000000A301}6940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100044Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.091{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0747-602C-E9CC-00000000A301}6940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100043Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.076{6A74A0F8-730C-6025-1600-00000000A301}15327856C:\Windows\system32\svchost.exe{6A74A0F8-0747-602C-E9CC-00000000A301}6940C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100042Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.076{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-0747-602C-E9CC-00000000A301}6940C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100041Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.076{6A74A0F8-0747-602C-E9CC-00000000A301}69404508C:\Windows\system32\conhost.exe{6A74A0F8-0747-602C-E8CC-00000000A301}6452C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100040Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.060{6A74A0F8-743B-6025-1B02-00000000A301}23163668C:\Windows\system32\csrss.exe{6A74A0F8-0747-602C-E9CC-00000000A301}6940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100039Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.060{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100038Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.060{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100037Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.060{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-0747-602C-E8CC-00000000A301}6452C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100036Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.060{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100035Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.060{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100034Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.060{6A74A0F8-0747-602C-E7CC-00000000A301}42042096C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe{6A74A0F8-0747-602C-E8CC-00000000A301}6452C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+159c3d(wow64)|C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe+612b|C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe+85be|C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe+97e5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 154100x80000000000000002100033Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.065{6A74A0F8-0747-602C-E8CC-00000000A301}6452C:\Windows\SysWOW64\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c C:\windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7F,IMPHASH=B20DE9D5F257E3C5BDD2834F89FC042A{6A74A0F8-0747-602C-E7CC-00000000A301}4204C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe"C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe" cmd.exe /c C:\windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 13241300x80000000000000002100032Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localAlert,Sysinternals Tool UsedSetValue2021-02-16 17:56:23.060{6A74A0F8-0747-602C-E7CC-00000000A301}4204C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exeHKU\S-1-5-21-3629283219-3078244836-3188048466-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x80000000000000002100031Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.044{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-0747-602C-E7CC-00000000A301}4204C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100030Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.044{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100029Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.044{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100028Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.044{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100027Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.044{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100026Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.044{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-0747-602C-E7CC-00000000A301}4204C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100025Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.044{6A74A0F8-0747-602C-E6CC-00000000A301}66565808C:\ProgramData\chocolatey\bin\PsExec.exe{6A74A0F8-0747-602C-E7CC-00000000A301}4204C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|UNKNOWN(00007FFD86A81B0C) 154100x80000000000000002100024Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.047{6A74A0F8-0747-602C-E7CC-00000000A301}4204C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe2.32Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.c"C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe" cmd.exe /c C:\windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=73CBC2080973A292EA8AE8663D0536AA,SHA256=5E245281F4924C139DD90C581FC79105EA19980BAA68EECCF5BF36AE613399B9,IMPHASH=3A7027A9D54E3A7C74FB919CA7B1C544{6A74A0F8-0747-602C-E6CC-00000000A301}6656C:\ProgramData\chocolatey\bin\PsExec.exe"C:\ProgramData\chocolatey\bin\PsExec.exe" cmd.exe /c C:\windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 10341000x80000000000000002100023Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.013{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-0747-602C-E6CC-00000000A301}6656C:\ProgramData\chocolatey\bin\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100022Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.013{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100021Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.013{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100020Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.013{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100019Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.013{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100018Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.013{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-0747-602C-E6CC-00000000A301}6656C:\ProgramData\chocolatey\bin\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100017Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.013{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-0747-602C-E6CC-00000000A301}6656C:\ProgramData\chocolatey\bin\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x80000000000000002100016Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:23.003{6A74A0F8-0747-602C-E6CC-00000000A301}6656C:\ProgramData\chocolatey\bin\PsExec.exe2.32.0.0Execute processes remotely - shimSysinternals PsExecSysinternals - www.sysinternals.comPsExec.exe"C:\ProgramData\chocolatey\bin\PsExec.exe" cmd.exe /c C:\windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=FFD3A44A92F889323F1AC8C00F663213,SHA256=D0AA444A01938C17D83EEF000663EDBDCA17EBFFFC75920C39DBA03407AE45FD,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002100076Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:24.732{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16E9D0111A62044088E1B1CC1D65290,SHA256=00D359BB3A53A027717CB0FE6E2026F5909AD3779CDD8982DDA6198539D1C945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100075Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:24.435{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A2205BC5F88C1FFEA8CF027C2206DEB0,SHA256=C839117143B18D56C6EE55A4732E8A2D83F0B2B9BA0C1AED3B8DCA9EEDA9CF8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100081Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:25.779{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D832325BFCF5D25B2109C3FF60A185,SHA256=44B8E7F07C44D9C957C9F6E36FD90878051C4DC5F657F28C8AE2DE8758CE8479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100080Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:25.591{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=44FA5D6DBB09934ABCDA90B4BEE1A222,SHA256=8DBF74E74B29915D4AFE8861C1D222264FDCEF495F114AC83DCDCFD80E3B4D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100079Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:25.169{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=36635316766FF4771613FD7449D113B9,SHA256=70BEFCC1DE46311E1529CEE4F774098F970E2A301DF1693FD093A56284F3E510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100078Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:25.169{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=124DE5BB680BF9120729726D86E932DE,SHA256=414BFC75719F31589D97F759390B3D54B69D1C184626A90C42002110F0D62150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100077Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:25.107{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=561A72511C15995B5A2E7BBD20C213FB,SHA256=6C9F041B3790800DAF8070B79E0ED96A73CC6FCF577051E67837AD7E362322AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100084Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:26.810{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F18C0826610F834295E5F5425F11DDB,SHA256=1C1A7A44287C4865680CA0D6FEF39F0FC9904CAD0C74C4D8E851A79DCF68CC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100083Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:26.701{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=811A0AAFE87F15DD432E2E70100D755C,SHA256=9CC240288817E5A19DE862190C6D09E6FB2E39CEB45A991880557AF59DF352E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100082Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:26.216{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B44FBBF26355DC90144A1C68F387548D,SHA256=33E6BAA7B3EEB41B67C598972742F12964D4874F0660FE02CA3DB58E00D4816D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002100088Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:31.115{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52523-false10.0.1.12-8000- 23542300x80000000000000002100087Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:27.825{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FC0FFC6F9D34CFC3EAE90D950E57C0,SHA256=CEA2C7C43000658F1E70A750E8F47C51B4ACC82A88495CCEB5CDA1A7DBA610C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100086Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:27.794{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAFCDD94DC2472BD2FF8D79A175E0E05,SHA256=89F3120ABFE0B6A34450FE7AD5415B79D4E34A7B1E858D0E371745E8172DA51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100085Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:27.357{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4A0C4FD7BD38EF98D41C80B7C065ACFA,SHA256=052DE1B85DD769C330834FA1D4CD3BC7D055C9E61FEED6BEEB5DD6259F9AEBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100091Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:28.904{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8C0A8471E9774CBD0F547CD06FF2700F,SHA256=4A1AA7B0F673642B16BCFED166FC45F29E2FD5674873B6B48F2C048AB790DC57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100090Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:28.904{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05DD4298F88DB90E51B9895AAD30A9F0,SHA256=A51947B39D40EC4BD4D5F7085E364A45C3B8A0C6461E7D071BD5F1389C4C66E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100089Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:28.482{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B41D9B12620DC7B7518FD10A7979DCB,SHA256=F74E27C1BCB1678D83E9253FCE43AEAB46704E53DE45BE0B139842E9E0BC21DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100094Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:29.919{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DE5C495FAB7B9CD34E34638B6E09798F,SHA256=FA292A998BC16FCB9F789CCC510FC3F307BED27BAD9400075BFAFA96A2C507F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100093Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:29.919{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44853F1AA7DD7E7A151E2751EEBA415B,SHA256=8DF38E2FA6609641673C3B9A07643D83436E6105A248FD9D20B354D2E8407D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100092Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:29.466{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=325297D1CC9AEF78EE2E5CEB30011B0E,SHA256=7B6784ECFECD00DE7F89A1527E4739D39F6D21ABCF90FEC52E9E8AB150CE20D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100097Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:30.950{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE38C661C7F949A64E7053ED696E2D57,SHA256=56AC629929AB9B01AA52E39BBC295BF734F184E4CFA0CF04B723E117EA9329FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100096Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:30.935{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=77F0AB0CC60F695AE40BC037DAB58FC4,SHA256=8D1E65EB0725A2FAAB3EDBA4BF989CB958771BA7BE9E7B03C2D4EFE52E062C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100095Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:30.497{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6806B4BEA08572894E604482D5FD8E3E,SHA256=2ED03AC0C2A5DBBA76E8811965DECEFD0B7CD4DE1BC83580E21BD6AB6F97C26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100100Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:31.982{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=90A17E85BC8782CEE6FA5018ADAD4E99,SHA256=6F88BF3480CCF5F91794744DF8AAC7A0982D2BFAF9228AEDDB5C79DA04408B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100099Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:31.982{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E5319ABF3D0602CA4DD04E1DCB8285,SHA256=8BB6A39F4CCB6FD7DE3E79CDECC31063824F828840B1160B3A6B2AC5F13830F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100098Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:31.513{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DB85C17E123CB908161937F2898F192F,SHA256=2D83A469800AF321C15C2ABE14EFCBEF112556267E25F6410DB2CCAA5D0EFE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100157Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.841{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DD31AC001409CE02380146186DF3A8,SHA256=483992F751C06C5E4A6AE21E20E12CECBAA6E5B3064CC0E9849F48CAD15819E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002100156Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.794{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100155Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.794{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100154Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.778{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100153Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.778{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100152Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.778{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100151Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.778{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100150Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.747{6A74A0F8-0750-602C-EECC-00000000A301}76326132C:\Windows\system32\conhost.exe{6A74A0F8-0750-602C-EFCC-00000000A301}7060C:\Temp\notregasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100149Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.732{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100148Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.732{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100147Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.732{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100146Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.732{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-0750-602C-EFCC-00000000A301}7060C:\Temp\notregasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100145Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.732{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100144Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.732{6A74A0F8-0750-602C-EDCC-00000000A301}1724312C:\Windows\SysWOW64\cmd.exe{6A74A0F8-0750-602C-EFCC-00000000A301}7060C:\Temp\notregasm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\SysWOW64\cmd.exe+ebb2|C:\Windows\SysWOW64\cmd.exe+69f6|C:\Windows\SysWOW64\cmd.exe+68fd|C:\Windows\SysWOW64\cmd.exe+c912|C:\Windows\SysWOW64\cmd.exe+c161|C:\Windows\SysWOW64\cmd.exe+10c43|C:\Windows\SysWOW64\cmd.exe+1499f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 154100x80000000000000002100143Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.742{6A74A0F8-0750-602C-EFCC-00000000A301}7060C:\Temp\notregasm.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Assembly Registration UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegAsm.exeC:\Temp\notregasm.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=F9962526636C4082079C16F5CBD18A21,SHA256=193D0E779528278A422C64E94D9D8AC623FCB1323038D33D2B820EAD608EF515,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-0750-602C-EDCC-00000000A301}172C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c C:\Temp\notregasm.exe 10341000x80000000000000002100142Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.732{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-0750-602C-EDCC-00000000A301}172C:\Windows\SysWOW64\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100141Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.732{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-0750-602C-EDCC-00000000A301}172C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100140Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.732{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-0750-602C-EDCC-00000000A301}172C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100139Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.732{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-0750-602C-EECC-00000000A301}7632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100138Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.732{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-0750-602C-EECC-00000000A301}7632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100137Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.716{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0750-602C-EDCC-00000000A301}172C:\Windows\SysWOW64\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100136Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.716{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0750-602C-EDCC-00000000A301}172C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100135Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.716{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0750-602C-EDCC-00000000A301}172C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100134Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.716{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0750-602C-EDCC-00000000A301}172C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100133Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.716{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0750-602C-EECC-00000000A301}7632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100132Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.716{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0750-602C-EECC-00000000A301}7632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100131Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.716{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0750-602C-EECC-00000000A301}7632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100130Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.716{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0750-602C-EECC-00000000A301}7632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100129Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.716{6A74A0F8-730C-6025-1600-00000000A301}15327856C:\Windows\system32\svchost.exe{6A74A0F8-0750-602C-EECC-00000000A301}7632C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100128Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.716{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-0750-602C-EECC-00000000A301}7632C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100127Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.700{6A74A0F8-0750-602C-EECC-00000000A301}76326132C:\Windows\system32\conhost.exe{6A74A0F8-0750-602C-EDCC-00000000A301}172C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100126Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.700{6A74A0F8-743B-6025-1B02-00000000A301}23163668C:\Windows\system32\csrss.exe{6A74A0F8-0750-602C-EECC-00000000A301}7632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100125Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.685{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100124Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.685{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100123Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.685{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-0750-602C-EDCC-00000000A301}172C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100122Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.685{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100121Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.685{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100120Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.685{6A74A0F8-0750-602C-ECCC-00000000A301}36844996C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe{6A74A0F8-0750-602C-EDCC-00000000A301}172C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+159c3d(wow64)|C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe+612b|C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe+85be|C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe+97e5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 154100x80000000000000002100119Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.698{6A74A0F8-0750-602C-EDCC-00000000A301}172C:\Windows\SysWOW64\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c C:\Temp\notregasm.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7F,IMPHASH=B20DE9D5F257E3C5BDD2834F89FC042A{6A74A0F8-0750-602C-ECCC-00000000A301}3684C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe"C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe" cmd.exe /c C:\Temp\notregasm.exe 13241300x80000000000000002100118Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localAlert,Sysinternals Tool UsedSetValue2021-02-16 17:56:32.685{6A74A0F8-0750-602C-ECCC-00000000A301}3684C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exeHKU\S-1-5-21-3629283219-3078244836-3188048466-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x80000000000000002100117Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.685{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-0750-602C-ECCC-00000000A301}3684C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100116Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.669{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100115Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.669{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100114Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.669{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100113Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.669{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100112Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.669{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-0750-602C-ECCC-00000000A301}3684C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100111Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.669{6A74A0F8-0750-602C-EBCC-00000000A301}25726328C:\ProgramData\chocolatey\bin\PsExec.exe{6A74A0F8-0750-602C-ECCC-00000000A301}3684C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|UNKNOWN(00007FFD86A81B0C) 154100x80000000000000002100110Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.680{6A74A0F8-0750-602C-ECCC-00000000A301}3684C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe2.32Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.c"C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe" cmd.exe /c C:\Temp\notregasm.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=73CBC2080973A292EA8AE8663D0536AA,SHA256=5E245281F4924C139DD90C581FC79105EA19980BAA68EECCF5BF36AE613399B9,IMPHASH=3A7027A9D54E3A7C74FB919CA7B1C544{6A74A0F8-0750-602C-EBCC-00000000A301}2572C:\ProgramData\chocolatey\bin\PsExec.exe"C:\ProgramData\chocolatey\bin\PsExec.exe" cmd.exe /c C:\Temp\notregasm.exe 23542300x80000000000000002100109Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.638{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=723F97D0FB84DC5193D7E61D077D37DC,SHA256=009E929CD74F32FF21A5A8274CD59148D840769C4F90D8E99897FC19708AA537,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002100108Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.622{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-0750-602C-EBCC-00000000A301}2572C:\ProgramData\chocolatey\bin\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100107Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.622{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100106Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.622{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100105Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.622{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100104Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.622{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100103Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.622{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-0750-602C-EBCC-00000000A301}2572C:\ProgramData\chocolatey\bin\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100102Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.622{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-0750-602C-EBCC-00000000A301}2572C:\ProgramData\chocolatey\bin\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x80000000000000002100101Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:32.621{6A74A0F8-0750-602C-EBCC-00000000A301}2572C:\ProgramData\chocolatey\bin\PsExec.exe2.32.0.0Execute processes remotely - shimSysinternals PsExecSysinternals - www.sysinternals.comPsExec.exe"C:\ProgramData\chocolatey\bin\PsExec.exe" cmd.exe /c C:\Temp\notregasm.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=FFD3A44A92F889323F1AC8C00F663213,SHA256=D0AA444A01938C17D83EEF000663EDBDCA17EBFFFC75920C39DBA03407AE45FD,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002100161Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:33.653{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9E889C844DC8CE7F728B11658F4D6463,SHA256=F707B878E8C590C0FBECA0C7A845832DAFB9491B64B830A08795C0E8A78CD0D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100160Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:33.091{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=92C0C39B02E99191A5C1CB7A3025BAC1,SHA256=3002581F145FD849F94371C706171F281C0F9A5A36C577C63ACC71307CEFC89B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002100159Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.208{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52524-false10.0.1.12-8000- 23542300x80000000000000002100158Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:33.044{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A04395478C8E8351685B9094C16677,SHA256=FE5FB1A80F1558D80E61B4FBDE35C6803D69176BD1BAAB1BA9D59EBD19F7B15E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100164Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:34.685{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=379A3A54047B38B97CD8871E6197A06B,SHA256=4C85B47F51A6CB2E90AAF48E499CE5A4C03C305100EDD9FE4D9D73066AB51C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100163Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:34.122{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1E5BE341616F547E501DB66ACCD5418C,SHA256=C0CFB496A41B9D78D2DF6AACC1088DF8A1AA776F2870A17C7490D3026118DCDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100162Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:34.075{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327B6CD2496F5BE9CF878FC5A3D5D5A4,SHA256=232119F9FFE3284CBAF4B6FE1F1FB5BE47471FD21D0F59D2DA2FD084DDAA0776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100167Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:35.810{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=72DB9710E0A752AF802071BB966A2C6B,SHA256=2C4EFB9A3307868AFF3609810E95D356FB9C8E1B59A017A9A4ECC145CF4A3FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100166Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:35.138{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E71A381B91D08F619A2B01CE764C8B,SHA256=7809137C6D236B8C552A7E3E4B662DFE74F2F1BF53C8F55DDDF46A84D1D9D416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100165Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:35.122{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=67ECFA3A7B904927D70C64815A955C87,SHA256=FF518E5B034A6BA003419ACA94FB21916B7BB16B400EBA39732E0DA79559F920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100228Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.966{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F3909F99AE0296BE4398D8A8C2589591,SHA256=630A59B702BCFA1E4629C1485899CA831B547D597999C8526B699ACA3C80C19E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100227Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.513{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E25A66F9167EBBAD4FEC9E83D36A4CB0,SHA256=AC24C57B12D644AF04323613AB2E3D8BE853031951E6F5516914A057BF2FA8EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100226Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.513{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E7401E12140CF5EB1EFDAEE06680401,SHA256=46EFA060FCC3A0B6A66D808B6D2F28B6D903599CD2BC6562C2DC19F5CD97520B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002100225Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.497{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100224Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.497{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100223Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.497{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100222Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.497{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100221Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.497{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100220Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.497{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-B11A-6026-E32B-00000000A301}3216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002100219Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.497{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FAE8C05A236507FCF63199670906BC6,SHA256=3CB3DC072A8776AB98CAA583F7692D51012FA5D4129CBE693EB39C94ECB14845,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002100218Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.435{6A74A0F8-0754-602C-F3CC-00000000A301}66485000C:\Windows\system32\conhost.exe{6A74A0F8-0754-602C-F4CC-00000000A301}2080C:\Temp\notregsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100217Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.435{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100216Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.435{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100215Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.435{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100214Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.435{6A74A0F8-743B-6025-1B02-00000000A301}23164552C:\Windows\system32\csrss.exe{6A74A0F8-0754-602C-F4CC-00000000A301}2080C:\Temp\notregsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100213Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.435{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100212Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.435{6A74A0F8-0754-602C-F2CC-00000000A301}25606400C:\Windows\SysWOW64\cmd.exe{6A74A0F8-0754-602C-F4CC-00000000A301}2080C:\Temp\notregsvcs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\SysWOW64\cmd.exe+ebb2|C:\Windows\SysWOW64\cmd.exe+69f6|C:\Windows\SysWOW64\cmd.exe+68fd|C:\Windows\SysWOW64\cmd.exe+c912|C:\Windows\SysWOW64\cmd.exe+c161|C:\Windows\SysWOW64\cmd.exe+10c43|C:\Windows\SysWOW64\cmd.exe+1499f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 154100x80000000000000002100211Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.442{6A74A0F8-0754-602C-F4CC-00000000A301}2080C:\Temp\notregsvcs.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Services Installation UtilityMicrosoft® .NET FrameworkMicrosoft CorporationRegSvcs.exeC:\Temp\notregsvcs.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=8461A1EDB62C7E84E5E70649A5FD47E4,SHA256=5B4A32C5E13161A7D75B9C2CDF705C8980DBB0EBA421CC23EDE48AFCA699194F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-0754-602C-F2CC-00000000A301}2560C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c C:\Temp\notregsvcs.exe 10341000x80000000000000002100210Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.435{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-0754-602C-F2CC-00000000A301}2560C:\Windows\SysWOW64\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100209Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.419{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-0754-602C-F2CC-00000000A301}2560C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100208Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.419{6A74A0F8-E191-602B-02C8-00000000A301}64244872C:\Windows\explorer.exe{6A74A0F8-0754-602C-F2CC-00000000A301}2560C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100207Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.419{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-0754-602C-F3CC-00000000A301}6648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100206Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.419{6A74A0F8-743E-6025-2B02-00000000A301}39124972C:\Windows\system32\taskhostw.exe{6A74A0F8-0754-602C-F3CC-00000000A301}6648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100205Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.419{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0754-602C-F2CC-00000000A301}2560C:\Windows\SysWOW64\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100204Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.419{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0754-602C-F2CC-00000000A301}2560C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100203Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.419{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0754-602C-F2CC-00000000A301}2560C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100202Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.419{6A74A0F8-E191-602B-02C8-00000000A301}64247212C:\Windows\explorer.exe{6A74A0F8-0754-602C-F2CC-00000000A301}2560C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100201Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.419{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0754-602C-F3CC-00000000A301}6648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100200Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.419{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0754-602C-F3CC-00000000A301}6648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100199Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.419{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0754-602C-F3CC-00000000A301}6648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100198Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.419{6A74A0F8-E191-602B-02C8-00000000A301}64245668C:\Windows\explorer.exe{6A74A0F8-0754-602C-F3CC-00000000A301}6648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100197Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.403{6A74A0F8-730C-6025-1600-00000000A301}15327856C:\Windows\system32\svchost.exe{6A74A0F8-0754-602C-F3CC-00000000A301}6648C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100196Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.403{6A74A0F8-730C-6025-1600-00000000A301}15321576C:\Windows\system32\svchost.exe{6A74A0F8-0754-602C-F3CC-00000000A301}6648C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100195Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.403{6A74A0F8-0754-602C-F3CC-00000000A301}66485000C:\Windows\system32\conhost.exe{6A74A0F8-0754-602C-F2CC-00000000A301}2560C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100194Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.403{6A74A0F8-743B-6025-1B02-00000000A301}23163668C:\Windows\system32\csrss.exe{6A74A0F8-0754-602C-F3CC-00000000A301}6648C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100193Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.388{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100192Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.388{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100191Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.388{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100190Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.388{6A74A0F8-743B-6025-1B02-00000000A301}23166476C:\Windows\system32\csrss.exe{6A74A0F8-0754-602C-F2CC-00000000A301}2560C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100189Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.388{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100188Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.388{6A74A0F8-0754-602C-F1CC-00000000A301}68401740C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe{6A74A0F8-0754-602C-F2CC-00000000A301}2560C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+159c3d(wow64)|C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe+612b|C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe+85be|C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe+97e5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 154100x80000000000000002100187Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.398{6A74A0F8-0754-602C-F2CC-00000000A301}2560C:\Windows\SysWOW64\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c C:\Temp\notregsvcs.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7F,IMPHASH=B20DE9D5F257E3C5BDD2834F89FC042A{6A74A0F8-0754-602C-F1CC-00000000A301}6840C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe"C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe" cmd.exe /c C:\Temp\notregsvcs.exe 13241300x80000000000000002100186Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.localAlert,Sysinternals Tool UsedSetValue2021-02-16 17:56:36.388{6A74A0F8-0754-602C-F1CC-00000000A301}6840C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exeHKU\S-1-5-21-3629283219-3078244836-3188048466-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x80000000000000002100185Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.372{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-0754-602C-F1CC-00000000A301}6840C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100184Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.372{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100183Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.372{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100182Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.372{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100181Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.372{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-0754-602C-F1CC-00000000A301}6840C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100180Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.372{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100179Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.372{6A74A0F8-0754-602C-F0CC-00000000A301}12921108C:\ProgramData\chocolatey\bin\PsExec.exe{6A74A0F8-0754-602C-F1CC-00000000A301}6840C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|UNKNOWN(00007FFD86A61B0C) 154100x80000000000000002100178Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.381{6A74A0F8-0754-602C-F1CC-00000000A301}6840C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe2.32Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.c"C:\ProgramData\chocolatey\lib\sysinternals\tools\PsExec.exe" cmd.exe /c C:\Temp\notregsvcs.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=73CBC2080973A292EA8AE8663D0536AA,SHA256=5E245281F4924C139DD90C581FC79105EA19980BAA68EECCF5BF36AE613399B9,IMPHASH=3A7027A9D54E3A7C74FB919CA7B1C544{6A74A0F8-0754-602C-F0CC-00000000A301}1292C:\ProgramData\chocolatey\bin\PsExec.exe"C:\ProgramData\chocolatey\bin\PsExec.exe" cmd.exe /c C:\Temp\notregsvcs.exe 10341000x80000000000000002100177Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.341{6A74A0F8-B11A-6026-E32B-00000000A301}32167180C:\Windows\system32\conhost.exe{6A74A0F8-0754-602C-F0CC-00000000A301}1292C:\ProgramData\chocolatey\bin\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100176Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.341{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100175Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.341{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100174Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.341{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100173Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.341{6A74A0F8-730C-6025-0C00-00000000A301}6087152C:\Windows\system32\svchost.exe{6A74A0F8-731C-6025-2900-00000000A301}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100172Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.341{6A74A0F8-743B-6025-1B02-00000000A301}23161552C:\Windows\system32\csrss.exe{6A74A0F8-0754-602C-F0CC-00000000A301}1292C:\ProgramData\chocolatey\bin\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002100171Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.341{6A74A0F8-B11A-6026-E22B-00000000A301}65727308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{6A74A0F8-0754-602C-F0CC-00000000A301}1292C:\ProgramData\chocolatey\bin\PsExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c94532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8912e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c93a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88dac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c88da232(wow64) 154100x80000000000000002100170Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.336{6A74A0F8-0754-602C-F0CC-00000000A301}1292C:\ProgramData\chocolatey\bin\PsExec.exe2.32.0.0Execute processes remotely - shimSysinternals PsExecSysinternals - www.sysinternals.comPsExec.exe"C:\ProgramData\chocolatey\bin\PsExec.exe" cmd.exe /c C:\Temp\notregsvcs.exeC:\AtomicRedTeam\atomics\T1055.004\src\ATTACKRANGE\Administrator{6A74A0F8-743D-6025-3A8E-140000000000}0x148e3a2HighMD5=FFD3A44A92F889323F1AC8C00F663213,SHA256=D0AA444A01938C17D83EEF000663EDBDCA17EBFFFC75920C39DBA03407AE45FD,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6A74A0F8-B11A-6026-E22B-00000000A301}6572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002100169Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.341{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DCA426955C869F7458085D7780002D1B,SHA256=C7EC85FDFFE10D4AC1B2970425FE17814331795021BC152AD37BAD64A2FB5DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100168Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:36.200{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A07CB516E06BEE8E5894BAF443482EE,SHA256=CBD120487E57C94286D5D563912F36736FB43D3F219BF3EFDB455C530901F124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100232Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:37.403{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DD230AFC0B89CEFD34E5330ACA539F37,SHA256=4B5D611FB731FE38B398F82196240626CE7E0B773BC49EAC824EF4DA72AFFEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100231Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:37.247{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16113BCEEC885FFA4177FCED2FFF3ED3,SHA256=67189A6DAE6F3B094058585827E3A204E8B7E77B84DD9EF864EF959A7C6371E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002100230Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:40.568{6A74A0F8-730A-6025-0B00-00000000A301}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52525-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 354300x80000000000000002100229Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:40.568{6A74A0F8-731C-6025-2400-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-444.attackrange.local52525-true0:0:0:0:0:0:0:1win-dc-444.attackrange.local389ldap 23542300x80000000000000002100236Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:38.575{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BE8BAB3EF71BF3BAD05B143FD18C0395,SHA256=7DDDEE9403313DDAACA857F9FE2CABFB58FBE2810F5978F0ACD0AAE68305FAE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002100235Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:41.271{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52526-false10.0.1.12-8000- 23542300x80000000000000002100234Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:38.247{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=732CCA527C22506AFD07266D0F5428A3,SHA256=E6552991058C31E9CE0C178E0E27DD03D0C65CABEC6E81893047AD00EAC48B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100233Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:38.091{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D9F8120BA5B52DED94F9DBC40B04A3F4,SHA256=3B886734F1A392EA488468AE72E632588909306B7FC38397DFB5C36CDEC1A84E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100239Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:39.716{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8754A089866AE294E8DE00404E1DCF1F,SHA256=8669E15BB3714CB638AF0588F12E1285B11274182902A0344DF30B5134CE42DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100238Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:39.263{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0EA873C4BB652BF0F4347FB98F55D4,SHA256=2444AC7A0DA596E94625B60C62E48CEBBFA623FEC6681C0E8EBD99698F210CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100237Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:39.231{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FB32AF3D2144FD95C5059B2409F244C9,SHA256=921276C5D78264077DC849CE6B20A1EFDEEAB9B0481DF604211D865596172E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100242Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:40.669{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BB2229BE0B8F4D273452850F6BC86F51,SHA256=DAF511D6FF5D2BAE5E671B19AB0ABD90EC8790B646A1A1DBC9AF842AEB4CCFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100241Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:40.278{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ABFC2C38E5CDAD5776E5E27C4B3558A,SHA256=8863664F30C4191D23A7D6B70CA796AFE2E90FD93260BB7C534A09BF4CFC4D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100240Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:40.216{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D48E4AD30DA93CB1527588E8D9D634A3,SHA256=ACD6744C7186C749DA079F9002120C2D8173DDC117FD6438B84B2C0854252AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100245Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:41.700{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7B90C8C14ACA882B949888AA3FC5EE51,SHA256=31EBB662E563136D9FD5655369B065A3ED9531290ADEE92AF4ED5424F002EB95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100244Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:41.294{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD9419B476C7FB6C68DF048B60C8854,SHA256=25B08C078439EC389A60FD059477D257F6C46B644BFDDD14F2EE56548878E064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100243Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:41.247{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FB9E02FBFF1A90E0783D3F1FC850C39C,SHA256=6ECCCBF92B5CA790F1BFB4939B2FE26035852237BA3CE5FC8629546E81FD2BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100248Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:42.825{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=744D98D4842EB17988B6C79C9BDC5B81,SHA256=3C085992A25510BC5378103DB56D60D6FAE452F9A160ACC7D0D3281D6447711D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100247Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:42.356{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=01F7BDE2E0C32CC548A46E295A2D4424,SHA256=5DC85DE828850F41C71CEAE84115583DA00B6A510435A5DD282AF3BBCAFB547D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100246Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:42.341{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0842A230668523DB500845BC240FBC1A,SHA256=0A42A1E8C35A16FCAB01EE10EB9512C172582C57CFF37B85E32A698DAE2735AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100252Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:43.919{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=754612DEBC6522B2EE8F0093F764E3DE,SHA256=B59A24E2CB6193812C3B678B535C72C8419D44F64F8A785D05FD52C7E48F301F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100251Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:43.481{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DF5F4F9453DBD74042A32DDB5DB74785,SHA256=CD3C3CB167B14152BF2B0900E6CE3FA45DFA3A0AE604012207EDCF609FBE574A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002100250Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:47.130{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52527-false10.0.1.12-8000- 23542300x80000000000000002100249Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:43.434{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2242D62819D1794D2F95BE8A13E6AB,SHA256=018E1DA97E022CF6A108204DCF785F72CA894BA16717E6C7F3F214B7A370031B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100255Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:44.966{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F372FE3E3F7DAECB3AE033450297B085,SHA256=1801C07DF0BDA8C69998FEEDF353B3DBB3D1153C977F16ED61B0073F2C9F26CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100254Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:44.497{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=596B351DC0460984EDB02B7D76695F97,SHA256=4A585665E053FA6E73BA3E3ED9ED03E790FF6BB9E84BB1AE4449ADAE116AD53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100253Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:44.450{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3EB9EF7D94676E6607ED8E4A3CCBF1,SHA256=A0F11A5BE225E91B8DC0BE6617F3A993570ED090D24E9044AC5033E073525173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100257Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:45.559{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F45E84277C7E6916B3596E955CBC0471,SHA256=1DFA36564A539C13CC50E881EF6D991F38781E998DC7885F861D7AE153BD0FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100256Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:45.466{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D000E32D41E64EC0E9B9D55E1B4E1CF8,SHA256=8BC8AB2E5F2C2F8868E6B8A7B0A1C276BB2D989FC15F60123ADE72F2208D35C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100260Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:46.684{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2D1EA657BC4BE3C6530E9D08B56C0B47,SHA256=1899669B9431E15957AB6A982500803AAC0A9518F6AAA8228058B5A8885DF2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100259Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:46.497{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB8C9B537242623671FE34365E418E5,SHA256=977215ED7EAF9E38B9CF55F8C4D2A608DF7EC3E03ECDBD989C166965DAE1C0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100258Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:46.028{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E11D8503163CC465F4856B5377634968,SHA256=466A9C4B3B78A427D1AAE6066A5CE93ABD8CA6A2F4F26F6877A3C2F1D01DAE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100263Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:47.809{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E5CED109F82ECD00B98CBD7EF3D7B2F9,SHA256=A622AE9E15BE2457485913DDEADEECC048921126632658B6162EB248E598EF55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100262Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:47.544{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E6D34ED6B7434225A794AFD74D09DB,SHA256=FEE5FA17C394F31159299AC5DE31E285423A1D0003419733AD936EB7F41A5954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100261Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:47.153{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=97CEEA0CD461E5055B7AA0C3ED69BBAE,SHA256=17F084CE1673CA7CDAC5BD9098EAD1E2CB3C5831327E32FF70C5F98D0925C5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100267Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:48.825{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1F4C260F4CFDFC19ED612507C7638A1B,SHA256=AF83C6FD798C4BCEFF39DF63EBD90C2A306EA36133FD806E0188EF6107364C24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002100266Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:52.208{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52528-false10.0.1.12-8000- 23542300x80000000000000002100265Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:48.559{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B7466FF6CABCF25B2E2C1D9469A441,SHA256=1EA94952284996D6A5D7C20DF7064B1BD504E06707477815D193A4582BD18E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100264Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:48.262{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DBF2114B8806C1C9F988F2329BE4C7C0,SHA256=F86C502E2A1DEE3BE2DAA3699F933454BE154493ED690D22586AE4A776470A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100271Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:49.950{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=06D6BE09E263C3B09553BC520B242DA8,SHA256=FEA47A18B22AB3EB6BC18764C76E5535B434D22ECAD1690DE5A84DAF8E8ECDE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100270Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:49.575{6A74A0F8-7380-6025-CB01-00000000A301}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C3C9A1C5A64E23688973B4F8EB16D966,SHA256=894749C396FDDB354FA01312E39BD26F0F97DC092A6B719A803A8805A21BED15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100269Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:49.575{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307E907A411F9D8132FF52BB4FA3C4D2,SHA256=72FA6C03BA4F68419448170F71320DE8AE8A75B17811874B8E6D479A2D4BDC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100268Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:49.309{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=635EEAF98C9CD7D2078E0EB47E80CEBD,SHA256=A9F0C7523D8DE5D65A9FBAFFC881E73669B26F21B11A77BD20C333C791E2DAFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100273Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:50.669{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB998FA924DE042CDE9278D63315446,SHA256=733E6539F129A9CCB6DBCDDA29C7A1D66351EBFE03266B64DD5FC08885E381A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100272Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:50.434{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9149D71AD198673EA335DCE52C05AD81,SHA256=7AC289C3D4D1C4CDB0AF0B32644B41FAF08D1539856663554CD7D25F554F5473,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002100277Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:54.646{6A74A0F8-7380-6025-CB01-00000000A301}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52529-false10.0.1.12-8089- 23542300x80000000000000002100276Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:51.684{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5F6715CFF467315C7A24AFD47D6E101,SHA256=31F16D2967C40E1546A9B621F87AFC5AB7F9C565316FCBDE920017A5EED5F9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100275Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:51.528{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=61E5A0F1BF5A4B7DB1794001DC65363D,SHA256=DD12376CF74EE0510B50AFD4770FE186EBB07E99A9FAC2DBDAD406A05AEBECFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100274Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:51.106{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C3CBE18E12CB9B960F236096A8E28288,SHA256=B570F81EC9A631FD3D6250A516F4F05AA0199D2E7C50C1B5FC57AEDC701FE8E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100280Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:52.700{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842EA277397C28798C5C1CFF3177BFCF,SHA256=D3D31545F5B7CD7473745FC95A85D05E76BB1BE17B49F865B766D66244A838D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100279Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:52.575{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D757DC9F1B377A04117AD86FF4CC9F5B,SHA256=7CB0D519C0A305253D969D96E83DC775E3740FCF8938D755A1CA6D76660E886A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100278Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:52.106{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B439EE3EB65E11302FF9A3407F60AD8,SHA256=4FF38AC127F7ED3678E03282A512101C8B4845F4DD3AD3DCDE45F11296C018A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002100283Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:53.684{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=38AF08B3AFF78C7849BE491CC92832A6,SHA256=51D6E1A4F0AE69271FCB0B3DC4AFBCCC9F8A05266370C6E7DA83D440819A5DD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002100282Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:57.302{6A74A0F8-7387-6025-F901-00000000A301}2264C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-444.attackrange.local52530-false10.0.1.12-8000- 23542300x80000000000000002100281Microsoft-Windows-Sysmon/Operationalwin-dc-444.attackrange.local-2021-02-16 17:56:53.231{6A74A0F8-738D-6025-0202-00000000A301}4656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8A7B01AA08AB10F7150C96E409BB5CA1,SHA256=0817D07B30EEBBADB6024D75ADA79ADDE22E3ACF70F3928613D2DE6C79814017,IMPHASH=00000000000000000000000000000000falsetrue